cvedb.io
CVE-2026-33054
CRITICAL · CVSS 10
EPSS exploitation probability: 0%
Published 2026-03-20T07:16:13.363 · Last modified 2026-06-17T10:36:52.323

Summary

Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3.

Affected products

mesop-dev — mesop

Does this affect you?

Add your gear to cvedb and we'll alert you only when mesop-dev ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.