Cyber Resilience

CVE-2026-33054

CriticalPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0071 48.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33054 is a critical-severity Path Traversal (CWE-22) vulnerability in Mesop-Dev Mesop. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33054 is a path traversal vulnerability (CWE-22) in Mesop, a Python-based UI framework for building web applications. It affects versions 1.2.2 and prior, specifically impacting systems using the standard file-based runtime backend, such as FileStateSessionBackend. The flaw arises when an untrusted state_token supplied through the UI stream payload enables attackers to target arbitrary files on the disk, potentially leading to application denial of service via crash loops (when reading non-msgpack files as configurations) or arbitrary file manipulation. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity.

Any unauthenticated user (PR:N) interacting with a vulnerable Mesop instance over the network can exploit this by crafting a malicious state_token in the UI stream payload. Successful exploitation allows arbitrary file read, write, or deletion on the host filesystem, including overwriting or removing underlying service resources outside the application's boundaries. This can result in complete compromise of the hosting system, as attackers operate with the privileges of the Mesop process.

The issue has been addressed in Mesop version 1.2.3, as detailed in the project's security advisory (GHSA-8qvf-mr4w-9x2c), release notes, and the fixing commit (c6b382f363b73ac32c402a2db3aadc7784f66a5b). Security practitioners should upgrade to v1.2.3 or later and review deployments using FileStateSessionBackend for exposure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on…

more

the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Path traversal in public-facing Mesop web app directly enables remote unauthenticated exploitation (T1190) with arbitrary file read (T1005), deletion (T1070.004/T1485), and overwrite/manipulation (T1565.001) leading to DoS or full host compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34824Same product: Mesop-Dev Mesop
CVE-2026-33057Same product: Mesop-Dev Mesop
CVE-2024-54291Shared CWE-22
CVE-2026-44243Shared CWE-22
CVE-2026-28791Shared CWE-22
CVE-2025-30005Shared CWE-22
CVE-2026-5478Shared CWE-22
CVE-2025-6989Shared CWE-22
CVE-2026-24969Shared CWE-22
CVE-2026-33493Shared CWE-22

Affected Assets

mesop-dev
mesop
≤ 1.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal by validating and sanitizing untrusted state_token inputs in the UI stream payload to block access to arbitrary files.

prevent

Requires timely remediation of the specific path traversal flaw through patching to Mesop version 1.2.3 or later.

prevent

Limits impact of successful exploitation by enforcing least privilege on the Mesop process, restricting access to only necessary files and directories.

References