Platform
python
Component
mesop
Fixed in
1.2.4
1.2.3
CVE-2026-33054 describes a critical Path Traversal vulnerability discovered in mesop. This flaw allows attackers to leverage the state_token parameter to arbitrarily access files on the disk when the application uses the FileStateSessionBackend. Affected versions include those prior to 1.2.3; a patch is available to resolve this issue.
The vulnerability's impact is significant due to its ability to bypass access controls and directly interact with the file system. An attacker could exploit this to read sensitive configuration files, potentially gaining insights into the application's internal workings. Furthermore, they could overwrite critical files, leading to application crashes or even complete denial of service. The ability to manipulate files on disk represents a serious compromise of system integrity, and the ease of exploitation via the UI stream payload amplifies the risk.
This vulnerability was publicly disclosed on 2026-03-18. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation described in the vulnerability details suggests a potential for rapid exploitation. It is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade mesop to version 1.2.3 or later, which contains the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to sanitize the statetoken parameter, restricting its values to a predefined whitelist. Additionally, restrict file system permissions for the mesop runtime process to minimize the potential damage from a successful attack. After upgrading, verify the fix by attempting to access a file outside the intended session state directory using a manipulated statetoken.
Update Mesop to version 1.2.3 or higher. This version fixes the Path Traversal vulnerability in the `FileStateSessionBackend`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33054 is a critical Path Traversal vulnerability in mesop affecting versions up to 1.2.2rc1. It allows attackers to access and potentially modify files on the disk by manipulating the state_token.
You are affected if you are using mesop version 1.2.2rc1 or earlier and have the FileStateSessionBackend enabled. Check your version immediately.
Upgrade mesop to version 1.2.3 or later to resolve this vulnerability. If immediate upgrade is not possible, implement WAF rules to sanitize the state_token.
While no public exploits are currently known, the ease of exploitation suggests a potential for active exploitation. Monitor your systems closely.
Refer to the official mesop project's security advisories for the most up-to-date information and guidance: [https://mesop.example/security](https://mesop.example/security) (replace with actual advisory URL)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.