CVE-2026-33054

Name of the Vulnerable Software and Affected Versions Mesop versions 1.2.2 and below

Description Mesop, a Python-based UI framework, contains a Path Traversal vulnerability. This allows a user providing an untrusted state token through the UI stream payload to target files on the disk when using the standard file-based runtime backend. This can lead to application denial of service, potentially through crash loops when reading non-msgpack target files as configurations, or arbitrary file manipulation. The vulnerability is particularly impactful on systems utilizing the FileStateSessionBackend. An attacker can craft a malicious Protobuf payload and send it to the /ui stream endpoint, exploiting the unconditional passing of the state token to FileStateSessionBackend. make file path(self, token), which resolves OS traversal semantics. The state token is collected from the untrusted incoming protobuf message struct: mesop.protos.ui pb2.UserEvent.

Recommendations Update Mesop to version 1.2.3 or later.