CVE-2026-33054

Exploit

EPSS 0.71%
Veröffentlicht 20.03.2026 07:16:13
Zuletzt bearbeitet 24.03.2026 16:29:12
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Mesop: Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion

Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mesop-dev ≫ Mesop Version < 1.2.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.71%	0.487

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/mesop-dev/mesop/commit/c6b382f363b73ac32c402a2db3aadc7784f66a5b

Patch

https://github.com/mesop-dev/mesop/releases/tag/v1.2.3

Release Notes

https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-33054

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33054

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33054

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33054