Description
Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3.
Published: 2026-03-20
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write/Deletion
Action: Immediate Patch
AI Analysis

Impact

Mesop, a Python‑based UI framework, is affected by a path traversal flaw in versions 1.2.2 and earlier. An attacker can supply an untrusted state_token through the UI stream payload, causing the FileStateSessionBackend to resolve arbitrary file paths on the host file system. This can result in application denial of service, as the server may crash when attempting to read non‑msgpack configuration files, or enable the attacker to write or delete files outside the application’s intended directory hierarchy.

Affected Systems

The affected product is Mesop developed by mesop‑dev. Versions 1.2.2 and older are vulnerable. The issue is fixed in release 1.2.3. Systems that rely on FileStateSessionBackend for session state and are hosting the application are at risk.

Risk and Exploitability

The CVSS score of 10 indicates that this is a critical vulnerability. The EPSS score of less than 1 percent suggests that exploitation incidents are currently rare, and the vulnerability is not listed in the CISA KEV catalog, so no known large‑scale attacks have been reported. Nonetheless, the flaw is reachable via the publicly exposed UI stream, so it can be exploited remotely by an attacker without needing privileged access. Attackers would need to craft a malicious state_token and deliver it through the UI; upon processing, the backend will resolve and potentially overwrite or delete arbitrary files on the host, which can compromise system integrity or lead to denial of service.

Generated by OpenCVE AI on March 24, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mesop to version 1.2.3 or later.
  • If possible, switch to a safer session backend that does not perform path traversal on untrusted tokens.
  • Monitor application logs for abnormal crashes or file modification activity to detect any remaining exploitation attempts.

Generated by OpenCVE AI on March 24, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8qvf-mr4w-9x2c Mesop has a Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion
History

Tue, 24 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mesop-dev:mesop:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Mesop-dev
Mesop-dev mesop
Vendors & Products Mesop-dev
Mesop-dev mesop

Fri, 20 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3.
Title Mesop: Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Mesop-dev Mesop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T13:50:27.328Z

Reserved: 2026-03-17T18:10:50.212Z

Link: CVE-2026-33054

cve-icon Vulnrichment

Updated: 2026-03-20T13:50:22.516Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T07:16:13.363

Modified: 2026-03-24T16:29:12.830

Link: CVE-2026-33054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:13Z

Weaknesses