Platform
python
Component
mesop
Fixed in
1.2.4
CVE-2026-33057 describes a Remote Code Execution (RCE) vulnerability discovered in Mesop, a Python-based UI framework. This flaw allows an attacker to execute arbitrary code on the server hosting the application, potentially leading to complete system compromise. The vulnerability affects versions 1.2.2 and earlier, and a fix is available in version 1.2.3.
The impact of CVE-2026-33057 is severe. An attacker can exploit this vulnerability to gain complete control over the server running the Mesop application. This includes the ability to execute arbitrary commands, access sensitive data, install malware, and potentially pivot to other systems on the network. The vulnerability's lack of authentication makes it particularly dangerous, as any attacker who can route HTTP requests to the /exec-py endpoint can exploit it. The use of base64 encoded strings further obfuscates the malicious code, potentially evading basic detection mechanisms. This vulnerability shares similarities with other code injection flaws where untrusted input is directly executed, highlighting the importance of input validation and sanitization.
CVE-2026-33057 was publicly disclosed on 2026-03-20. The vulnerability's simplicity and lack of authentication suggest a high probability of exploitation. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation makes it a likely candidate for inclusion in exploit databases and automated scanning tools. It is not currently listed on CISA KEV, but its critical severity warrants close monitoring. Active campaigns targeting this vulnerability are possible.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33057 is to immediately upgrade Mesop to version 1.2.3 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by disabling the /exec-py endpoint. This can be achieved by modifying the ai/sandbox/wsgi_app.py file to remove or comment out the vulnerable route. Additionally, implement strict network segmentation to limit access to the Mesop application server. Monitor access logs for suspicious activity, particularly requests targeting the /exec-py endpoint. Consider using a Web Application Firewall (WAF) to block requests containing base64 encoded strings or other potentially malicious payloads. After upgrading, confirm the vulnerability is resolved by attempting to access the /exec-py endpoint and verifying that it returns an error or is inaccessible.
Update Mesop to version 1.2.3 or higher. This version corrects the unauthenticated remote code execution vulnerability. The update can be performed through the Python package manager (pip).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33057 is a CRITICAL Remote Code Execution vulnerability in Mesop versions 1.2.2 and earlier, allowing attackers to execute arbitrary code on the server via an unauthenticated endpoint.
You are affected if you are using Mesop version 1.2.2 or earlier. Upgrade to version 1.2.3 to mitigate the risk.
The recommended fix is to upgrade Mesop to version 1.2.3 or later. As a temporary workaround, disable the /exec-py endpoint.
While no confirmed exploitation is public, the vulnerability's ease of exploitation suggests a high probability of exploitation and warrants immediate attention.
Refer to the Mesop project's official website and GitHub repository for the latest advisory and security updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.