cbcvebase.
CVE-2026-33057
published 2026-03-20

CVE-2026-33057: Mesop is a Python-based UI framework that allows users to build web applications. In versions 1.2.2 and below, an explicit web endpoint inside the ai/ testing…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.29%
91.6th percentile
Mesop is a Python-based UI framework that allows users to build web applications. In versions 1.2.2 and below, an explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will gain explicit host-machine command rights. The AI codebase package includes a lightweight debugging Flask server inside ai/sandbox/wsgi_app.py. The /exec-py route accepts base_64 encoded raw string payloads inside the code parameter natively evaluated by a basic POST web request. It saves it rapidly to the operating system logic path and injects it recursively using execute_module(module_path...). This issue has been fixed in version 1.2.3.

Affected

2 ranges
VendorProductVersion rangeFixed in
mesop-devmesop< 1.2.31.2.3
mesop-devmesop>= 0 < 1.2.31.2.3

Detection & IOCsextracted from sources · hover to see the quote

url/exec-py
pathai/sandbox/wsgi_app.py
commandPOST /exec-py HTTP/1.1
  • Monitor for unauthenticated HTTP POST requests to the /exec-py endpoint on any Mesop server; the request body will contain a 'code' parameter with a base64-encoded Python payload.
  • Look for the presence of ai/sandbox/wsgi_app.py on the filesystem and any process spawning from it, as this is the vulnerable Flask debug server component.
  • Alert on HTTP POST requests with Content-Type: application/x-www-form-urlencoded targeting /exec-py; the 'code' parameter value will be base64-encoded arbitrary Python code submitted without any authentication header.
  • Track calls to execute_module() originating from the Mesop AI sandbox process, especially when triggered by inbound HTTP requests, as this is the code execution sink.
  • Nuclei template digest can be used to fingerprint scanner activity targeting this CVE: digest value 490a0046304402201a267df2300fbb2c65314ecd24aa738af2b1d801fbde9d2eda50e6adb6370b3802207316597e5b106974f7191194ff49a4d5b7c5a7003a7cd3040150e2275673ba6d:922c64590222798bb761d5b6d8e72950
  • ·The vulnerable endpoint exists only within the ai/ testing/sandbox module and is not part of the core Mesop production server; exposure depends on whether this debug Flask server is deployed or reachable in a given environment.
  • ·The Nuclei probe expects an HTTP 500 response as a match condition alongside a marker string in the body, meaning benign 500 errors on /exec-py alone are insufficient for confirmed exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.