CVE-2026-33054

Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/mesop-dev/mesop/commit/c6b382f363b73ac32c402a2db3aadc7784f66a5b	Patch
https://github.com/mesop-dev/mesop/releases/tag/v1.2.3	Release Notes
https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c	Exploit Vendor Advisory
https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mesop-dev:mesop:*:*:*:*:*:*:*:*

History

24 Mar 2026, 16:29

Type	Values Removed	Values Added
References	~~() https://github.com/mesop-dev/mesop/commit/c6b382f363b73ac32c402a2db3aadc7784f66a5b -~~	() https://github.com/mesop-dev/mesop/commit/c6b382f363b73ac32c402a2db3aadc7784f66a5b - Patch
References	~~() https://github.com/mesop-dev/mesop/releases/tag/v1.2.3 -~~	() https://github.com/mesop-dev/mesop/releases/tag/v1.2.3 - Release Notes
References	~~() https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c -~~	() https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c - Exploit, Vendor Advisory
First Time		Mesop-dev mesop Mesop-dev
CPE		cpe:2.3:a:mesop-dev:mesop::::::::
Summary		(es) Mesop es un framework de interfaz de usuario basado en Python que permite a los usuarios construir aplicaciones web. Las versiones 1.2.2 e inferiores contienen una vulnerabilidad de salto de ruta que permite a cualquier usuario que suministre un state_token no confiable a través de la carga útil del flujo de la interfaz de usuario dirigirse arbitrariamente a archivos en el disco bajo el backend de tiempo de ejecución estándar basado en archivos. Esto puede resultar en denegación de servicio de la aplicación (a través de bucles de bloqueo al leer archivos de destino que no son msgpack como configuraciones), o manipulación arbitraria de archivos. Esta vulnerabilidad expone gravemente los sistemas alojados que utilizan FileStateSessionBackend. Actores maliciosos no autorizados podrían interactuar con cargas útiles arbitrarias sobrescribiendo o eliminando explícitamente recursos de servicio subyacentes de forma nativa fuera de los límites de la aplicación. Este problema ha sido solucionado en la versión 1.2.3.

20 Mar 2026, 14:16

Type	Values Removed	Values Added
References	~~() https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c -~~	() https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c -

20 Mar 2026, 07:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 07:16

Updated : 2026-03-24 16:29

NVD link : CVE-2026-33054

Mitre link : CVE-2026-33054

CVE.ORG link : CVE-2026-33054

JSON object : View

Products Affected

mesop-dev

mesop

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

10.0 /10