VDB

CVE-2026-33057

CVE-2026-33057 PUBLISHED CVSS 9.800000190734863 CRITICAL

Mesop is a Python-based UI framework that allows users to build web applications. In versions 1.2.2 and below, an explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will gain explicit host-machine command rights. The AI codebase package includes a lightweight debugging Flask server inside ai/sandbox/wsgi_app.py. The /exec-py route accepts base_64 encoded raw string payloads inside the code parameter natively evaluated by a basic POST web request. It saves it rapidly to the operating system logic path and injects it recursively using execute_module(module_path...). This issue has been fixed in version 1.2.3.

EPSS 12.90% · 94.2th percentile

Risk Scores

CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
12.90%
94.2th percentile

Affected Products

VendorProductVersions
PyPImesop0, 0, 0
mesop-devmesop< 1.2.3, < 1.2.3, 0

Timeline

  • Mar 18, 2026 CVE Published
  • Mar 19, 2026 Security Advisory
  • Mar 20, 2026 CVE Updated
  • Mar 20, 2026 EPSS Score
  • Mar 20, 2026 PoC Published
  • Mar 20, 2026 PoC Published
  • Mar 20, 2026 PoC Published
  • Mar 21, 2026 EPSS Score
  • Mar 22, 2026 EPSS Score
  • Mar 22, 2026 Coalition ESS Score
  • Mar 23, 2026 EPSS Score
  • Mar 24, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›