CVE-2026-33054CRITICAL 9.8EPSS p48.8%

CVE-2026-33054CVE-2026-33054

Description

Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.71% probability of exploitation · percentile 48.8% · 2026-06-18T12:00:27Z
Published2026-03-20
Last modified2026-03-24

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/mesop-dev/mesop/commit/c6b382f363b73ac32c402a2db3aadc7784f66a5b
  2. https://github.com/mesop-dev/mesop/releases/tag/v1.2.3
  3. https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c
  4. https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33057
CVE
CVE-2025-30358
CVE
CVE-2026-38360
CVE
CVE-2026-11322
CVE
CVE-2025-41736
CVE
CVE-2026-7302
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.