Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-33054

Mesop: Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion
Back to all
CVE

CVE-2026-33054

Mesop: Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion

Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
10
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
C
H
U
-

Related Resources

No items found.

References

https://github.com/mesop-dev/mesop/releases/tag/v1.2.3, https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33054.json, https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c, https://nvd.nist.gov/vuln/detail/CVE-2026-33054, https://github.com/mesop-dev/mesop/commit/c6b382f363b73ac32c402a2db3aadc7784f66a5b

Severity

10

CVSS Score
0
10

Basic Information

Base CVSS
10
EPSS Probability
0.00713%
EPSS Percentile
0.48658%
Introduced Version
0
Fix Available
c6b382f363b73ac32c402a2db3aadc7784f66a5b,254727d4ad1eb912b74e4ce47c3321b5dd45d36d

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading