CRITICAL🇵🇱 Wersja polska

CVE-2026-33057

CVSS 9.8v3.1pub. 2026-03-20upd. 2026-03-24

Mesop is a Python-based UI framework that allows users to build web applications. In versions 1.2.2 and below, an explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will gain explicit host-machine command rights. The AI codebase package includes a lightweight debugging Flask server inside ai/sandbox/wsgi_app.py. The /exec-py route accepts base_64 encoded raw string payloads inside the code parameter natively evaluated by a basic POST web request. It saves it rapidly to the operating system logic path and injects it recursively using execute_module(module_path...). This issue has been fixed in version 1.2.3.

🤖 AI Analysis
How it works

The AI framework package Mesop contains an auxiliary Flask server (ai/sandbox/wsgi_app.py) with an /exec-py endpoint. This endpoint accepts HTTP POST requests with a code parameter containing Python code encoded in Base64. The submitted code is decoded, written to the operating system disk, and then executed using the execute_module() function — without any verification of the caller's identity. Anyone able to submit an HTTP request to this server gains immediate ability to execute arbitrary commands with the privileges of the server process.

Impact

An attacker without any authentication can execute arbitrary code on the hosting machine, leading to full server takeover, data leakage, installation of malicious software, or further lateral movement in the network.

Mitigation & patch

Update Mesop to version 1.2.3, where the vulnerability has been fixed. Until the update is applied, it is recommended to block network access to the /exec-py endpoint and ensure that the Flask debugging server from the ai/sandbox module is not exposed publicly.

Who is affected

Mesop (mesop-dev/mesop) in versions 1.2.2 and below, if deployed with the accessible ai/sandbox/wsgi_app.py module

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mesop Dev Mesop

    APP
    Mesop-Dev
    < 1.2.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-33054CRITICAL10.0PL ✓ten sam produkt

Path Traversal w Mesop — dowolny dostęp do plików i DoS

CVE-2026-34824HIGH7.5ten sam produkt

Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before...