Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables code execution on other users' systems. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.
Published: 2026-05-20
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of code generation enables an attacker to inject and execute arbitrary code on systems that use the affected Mesalvo Meona components. The vulnerability, classified as CWE‑94, allows malicious input to be interpreted as code, leading to full compromise of confidentiality, integrity, and availability. The impact is a critical failure that can affect any user interacting with the components, potentially allowing an attacker to take over the affected system.

Affected Systems

The flaw affects assets from Mesalvo: the Meona Client Launcher Component for all releases prior to June 19, 2020 15:11:49, and the Meona Server Component for all releases prior to version 5.323020 released April 2025. Users running these older versions are exposed.

Risk and Exploitability

With a CVSS score of 9.0 the vulnerability is marked as critical, and although the EPSS score is not provided, the lack of mitigation guidance suggests a non‑negligible exploitation likelihood. The flaw is not listed in the CISA KEV catalog, indicating no known public exploits, but the remote code execution potential and high severity mean a suspicious risk. Based on the description, the attack vector most likely involves injecting code through user‑supplied data that the Meona components evaluate or execute.

Generated by OpenCVE AI on May 20, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any Mesalvo‑issued patch for the Meona Client Launcher and Server components immediately.
  • Restrict access to the Meona components to trusted hosts and authenticated users only, reducing the surface for injection attempts.
  • Enforce strict input validation and sanitization for all data that could be used in dynamic code generation within the Meona components.

Generated by OpenCVE AI on May 20, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://seccore.at/blog/cves-meona/ cve-icon cve-icon
History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 12:45:00 +0000

Type Values Removed Values Added
Title Code Injection Vulnerability in Mesalvo Meona Components Allowing Remote Code Execution

Wed, 20 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables code execution on other users' systems. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-05-20T12:34:04.008Z

Reserved: 2026-01-07T09:31:00.563Z

Link: CVE-2026-22314

cve-icon Vulnrichment

Updated: 2026-05-20T12:30:06.197Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T11:16:26.057

Modified: 2026-05-20T14:03:10.193

Link: CVE-2026-22314

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T12:30:16Z

Weaknesses