Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables code execution on other users' systems. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.
AnalysisAI
Code injection in Mesalvo Meona Client Launcher Component (through 19.06.2020 15:11:49) and Meona Server Component (through 2025.04 5+323020) allows an authenticated, low-privileged attacker to execute code on other users' systems via crafted input that crosses a scope boundary, with user interaction required on the victim side. CVSS 9.0 reflects the cross-user/cross-system impact (Scope:Changed) and full CIA compromise; no public exploit identified at time of analysis. The product is a clinical/healthcare workflow platform, so successful exploitation can pivot between hospital workstations and the server tier.
Technical ContextAI
The flaw is classified as CWE-94 (Improper Control of Generation of Code, i.e., code injection), meaning user-controllable input is incorporated into a code construct that the application later executes rather than treats as data. The affected CPEs are cpe:2.3:a:mesalvo:meona_client_launcher_component and cpe:2.3:a:mesalvo:meona_server_component, indicating both the thick-client launcher (responsible for bootstrapping the Meona clinical client on a workstation) and the central server component are involved. Because the CVSS Scope is Changed (S:C), the injection allows the attacker to influence resources beyond the vulnerable component's own security authority - consistent with one Meona user injecting code that ends up being executed in another user's client session via the shared server.
RemediationAI
No vendor-released patch identified at time of analysis from the provided input - the only reference is the researcher write-up at https://seccore.at/blog/cves-meona/, so operators should contact Mesalvo directly to obtain a Meona Client Launcher build newer than 19.06.2020 15:11:49 and a Server Component build newer than 2025.04 5+323020 and apply both in lockstep, since the components interact. Until a fixed build is confirmed, restrict Meona access to vetted clinical accounts, enforce least privilege on Meona role assignments to shrink the pool of PR:L attackers, segment the Meona server and launcher endpoints from general user networks, and increase monitoring of Meona audit logs and workstation process creation for anomalous child processes of the launcher (the likely execution sink). User-awareness reminders for clinicians not to action unexpected Meona prompts address the UI:R requirement; the trade-off is added friction in time-critical clinical workflows, so combine with technical controls rather than relying on it alone.
Privilege escalation in Mesalvo Meona Client Launcher and Server components allows a low-privileged authenticated user t
Privilege misassignment in Mesalvo Meona Client Launcher and Server components allows authenticated high-privilege users
Cleartext storage of sensitive information in memory (CWE-316) affects both the Meona Client Launcher Component and the
Mesalvo Meona's Client Launcher and Server components fail to verify data authenticity (CWE-345), enabling a locally aut
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31090
GHSA-xcwx-69fp-83wm