Mesop Flaws Enable Unauthenticated RCE and Path Traversal
Two high-severity vulnerabilities in the Python web UI framework Mesop exposed applications to unauthenticated compromise in version 1.2.2 and earlier. The most critical issue, tracked as CVE-2026-33057, allowed remote code execution through an exposed /exec-py route in Mesop's AI testing infrastructure, where a debugging Flask server accepted base64-encoded Python code and executed it without authentication. The flaw was assigned CWE-94 and a CVSS 3.1 score vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
A second flaw, CVE-2026-33054, let attackers exploit path traversal via an untrusted state_token processed by FileStateSessionBackend, enabling file write or deletion outside intended application boundaries and potentially causing denial-of-service crash loops. That issue was classified as CWE-22 with a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Mesop addressed both vulnerabilities in version 1.2.3, and GitHub published security advisories and patch references for the fixes.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
GitHub received and published security advisories for the Mesop flaws
Security advisory information for the Mesop vulnerabilities was published on March 20, 2026, including notice that CVE-2026-33054 was newly received by security-advisories@github.com that day. The advisories documented impact, affected versions, and remediation in Mesop 1.2.3.
Mesop 1.2.3 released to fix the two vulnerabilities
Mesop fixed both the path traversal issue in FileStateSessionBackend and the unauthenticated /exec-py remote code execution flaw in version 1.2.3. The fixes were referenced in security advisory material and an associated patch commit.
Mesop versions 1.2.2 and earlier vulnerable to path traversal in FileStateSessionBackend
Mesop's file-based runtime backend allowed path traversal through an untrusted state_token in the UI stream payload, which could cause crash loops and arbitrary file write or deletion outside intended boundaries. The issue was later assigned CVE-2026-33054.
Mesop versions 1.2.2 and earlier exposed unauthenticated RCE via /exec-py
Mesop contained an exposed AI testing endpoint, /exec-py, that accepted and executed untrusted Python code without authentication, enabling remote code execution in version 1.2.2 and earlier. The flaw was later tracked as CVE-2026-33057.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-33054 - Mesop: Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion
cvefeed.io
Open sourceCVE-2026-33057 - Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Root Access and Arbitrary File Write Flaws Disclosed in Network-Exposed Systems
Two high-severity vulnerabilities were disclosed affecting exposed application and device management surfaces, including a flaw that can give attackers **root access** and another that enables **arbitrary file write** through path traversal. **CVE-2026-3587** describes an unauthenticated remote attack path in a hidden CLI function that lets an attacker escape a restricted prompt and gain root access to the underlying Linux operating system, potentially leading to full device compromise. The issue was mapped to `CWE-912` and assigned a `CVSS v3.1` score vector of `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`, with CERT VDE publishing advisory `VDE-2026-020`. A separate vulnerability, **CVE-2026-5027**, affects Langflow's `POST /api/v2/files` endpoint, where improper sanitization of the multipart `filename` parameter allows path traversal using `../` sequences. An authenticated attacker can exploit the bug to write files to arbitrary filesystem locations, creating a route to compromise confidentiality, integrity, and availability. The flaw was classified as `CWE-22`, carries the `CVSS v3.1` vector `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, and is referenced in Tenable advisory `TRA-2026-26`.
Mar 27, 2026
AWS MCP Server Flaws Expose File Read and Remote Code Execution Risks
Researchers disclosed multiple security flaws affecting AWS MCP components, including a local file inclusion bug in the AWS Remote MCP Server and a critical command injection issue in `aws-mcp-server`. Varonis said authenticated users could abuse AWS CLI shorthand syntax, specifically the `@=` operator passed through the `aws___call_aws` tool, to read arbitrary files from the underlying host even when `FileAccessMode=NO_ACCESS` was enabled. AWS assigned **CVE-2026-4270** to the file access restriction bypass and said the issue was fixed in `aws-api-mcp-server` version **1.3.9**; the exposure affected the public endpoint `aws-mcp.us-east-1.api.aws` as well as self-hosted or forked deployments. A separate flaw, tracked as **CVE-2026-5058** and published by Trend Micro's Zero Day Initiative as **ZDI-26-246**, allows unauthenticated remote code execution in `aws-mcp-server` because user-supplied input in the allowed-commands list is not properly validated before being used in a system call. ZDI rated the bug **CVSS 9.8** and said successful exploitation lets attackers run arbitrary code in the MCP server context; the advisory was released as a 0-day after the vendor rejected the report. The disclosures landed alongside another AWS bulletin for **CVE-2026-4269**, an improper S3 ownership verification issue in the Bedrock AgentCore Starter Toolkit, underscoring broader security concerns around MCP-related tooling and the need for immediate patching and review of derivative implementations.
Jun 12, 2026
CPython Flaws Expose Proxy Header Injection and Remote Debug Memory Corruption
CPython disclosed two medium-severity vulnerabilities affecting distinct parts of the runtime and tooling. **CVE-2026-1502** allows CR/LF bytes to pass through HTTP client proxy tunnel header or host handling, creating a header-injection risk in proxy tunnel scenarios. The issue was published through Python security channels and the `oss-sec` mailing list, with remediation details tracked in the CVE record and an associated CPython pull request. A second flaw, **CVE-2026-5713**, affects CPython remote debugging and introspection features and can trigger out-of-bounds read and write behavior when a privileged Python process connects to a malicious or compromised Python target. The bug impacts newer capabilities including `profiling.sampling` in Python 3.15+ and asyncio inspection commands such as ``` python -m asyncio ps python -m asyncio pstree ``` in Python 3.14+, and exploitation is expected to be unstable because the connecting process is likely to crash under ASLR.
Apr 15, 2026