Plattform
python
Komponente
mesop
Behoben in
1.2.4
1.2.3
CVE-2026-33054 describes a critical Path Traversal vulnerability discovered in mesop. This flaw allows attackers to leverage the state_token parameter to arbitrarily access files on the disk when the application uses the FileStateSessionBackend. Affected versions include those prior to 1.2.3; a patch is available to resolve this issue.
The impact of this Path Traversal vulnerability is significant. An attacker who can control the state_token can bypass intended access controls and read or even modify files on the server's file system. This could lead to a denial of service by repeatedly requesting invalid files, causing the application to crash. More critically, an attacker could potentially overwrite configuration files or other sensitive data, leading to complete system compromise. The ability to manipulate files directly on disk represents a severe security risk, especially in environments where mesop is used to manage critical infrastructure or sensitive data.
CVE-2026-33054 was publicly disclosed on 2026-03-18. The vulnerability's severity is rated as CRITICAL (CVSS score 10). As of this writing, there are no known public exploits or active campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. The ease of exploitation, given the ability to manipulate a UI parameter, warrants careful attention and prompt patching.
Organizations deploying mesop with the FileStateSessionBackend are at significant risk, particularly those running versions prior to 1.2.3. Shared hosting environments where multiple users share the same file system are especially vulnerable, as an attacker could potentially compromise other users' sessions.
• python / server:
import os
import subprocess
def check_mesop_version():
try:
result = subprocess.check_output(['mesop', '--version'], stderr=subprocess.STDOUT, text=True)
version = result.strip()
if version.startswith('1.2.2rc'):
print(f"VULNERABLE: mesop version {version} detected.")
elif version.startswith('1.2.3'):
print(f"PATCHED: mesop version {version} detected.")
else:
print(f"mesop version {version} detected. Check for updates.")
except FileNotFoundError:
print("mesop not found. Check installation.")
check_mesop_version()disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33054 is to upgrade mesop to version 1.2.3 or later, which contains the fix for this vulnerability. If immediate upgrading is not possible, consider implementing stricter input validation on the statetoken parameter to prevent malicious input. While not a complete solution, a Web Application Firewall (WAF) configured to block requests containing suspicious characters or patterns in the statetoken could provide an additional layer of defense. Monitor system logs for unusual file access patterns or attempts to read files outside of expected directories.
Aktualisieren Sie Mesop auf Version 1.2.3 oder höher. Diese Version behebt die Path-Traversal-Schwachstelle im `FileStateSessionBackend`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33054 is a critical Path Traversal vulnerability in mesop affecting versions up to 1.2.2rc1. It allows attackers to access and potentially modify files on the disk by manipulating the state_token.
You are affected if you are using mesop version 1.2.2rc1 or earlier and have the FileStateSessionBackend enabled. Check your version immediately.
Upgrade mesop to version 1.2.3 or later to resolve this vulnerability. If immediate upgrade is not possible, implement WAF rules to sanitize the state_token.
While no public exploits are currently known, the ease of exploitation suggests a potential for active exploitation. Monitor your systems closely.
Refer to the official mesop project's security advisories for the most up-to-date information and guidance: [https://mesop.example/security](https://mesop.example/security) (replace with actual advisory URL)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.