{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33054", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.212Z", "datePublished": "2026-03-20T06:57:35.948Z", "dateUpdated": "2026-03-20T06:57:35.948Z"}, "containers": {"cna": {"title": "Mesop: Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c"}, {"name": "https://github.com/mesop-dev/mesop/commit/c6b382f363b73ac32c402a2db3aadc7784f66a5b", "tags": ["x_refsource_MISC"], "url": "https://github.com/mesop-dev/mesop/commit/c6b382f363b73ac32c402a2db3aadc7784f66a5b"}, {"name": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.3"}], "affected": [{"vendor": "mesop-dev", "product": "mesop", "versions": [{"version": "< 1.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T06:57:35.948Z"}, "descriptions": [{"lang": "en", "value": "Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3."}], "source": {"advisory": "GHSA-8qvf-mr4w-9x2c", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3."}], "id": "CVE-2026-33054", "lastModified": "2026-03-20T07:16:13.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T07:16:13.363", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/mesop-dev/mesop/commit/c6b382f363b73ac32c402a2db3aadc7784f66a5b"}, {"source": "security-advisories@github.com", "url": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mesop", "source": "cna", "vendor": "mesop-dev"}, "product": "mesop", "vendor": "mesop-dev"}], "analysis": {"en": {"generated_at": "2026-03-20T08:21:49.676038+00:00", "value": {"mitigation_remediation": ["Apply the official Mesop patch by upgrading to version 1.2.3 or later.", "Verify that the FileStateSessionBackend is properly configured and that the application does not accept arbitrary state_token values from untrusted sources.", "If upgrading is not immediately possible, disable or remove the FileStateSessionBackend until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Write / Deletion"}, "threat_synthesis": {"affected_systems": "All Mesop installations from version 1.2.2 and earlier that utilize the FileStateSessionBackend are affected. The vulnerability applies to the mesop-dev:mesop package, as indicated by the vendor\u2019s advisory. Users running versions prior to v1.2.3 are at risk.", "description_and_impact": "Mesop is a Python-based UI framework that contains a path traversal vulnerability in the FileStateSessionBackend. Untrusted state_token values supplied via the UI stream payload allow an attacker to reference arbitrary files on the host file system. This results in the ability to overwrite or delete files outside the application\u2019s intended scope, and can also cause application crashes by attempting to read invalid configuration files, leading to denial of service. The weakness is classified as CWE-22, Path Traversal.", "risk_and_exploitability": "The CVSS score of 10 indicates maximum severity. Though the EPSS score is not available, the nature of the flaw allows any authenticated or unauthenticated user who can send a UI stream payload to manipulate the state_token to be able to exploit it remotely. The vulnerability is not listed in the CISA KEV catalog, but its high impact and reachable attack vector make it a critical risk that should be mitigated immediately."}}}}, "created": "2026-03-20T08:52:16.796017+00:00", "updated": "2026-03-20T10:36:58.144788+00:00", "vendors": ["mesop-dev", "mesop-dev$PRODUCT$mesop"]}