This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Mesop allows **unrestricted code injection** via the `/exec-py` endpoint.β¦
π‘οΈ **Root Cause**: **CWE-94** (Code Injection). <br>π **Flaw**: The `ai/testing` module's `/exec-py` endpoint **unconditionally executes** unverified Python code without any input validation or sanitization.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: **Mesop** (by mesop-dev). <br>π **Versions**: **1.2.2 and earlier**. <br>β οΈ **Component**: Specifically the `ai/testing` module endpoint.
Q4What can hackers do? (Privileges/Data)
π **Privileges**: Full **Remote Code Execution (RCE)**. <br>π **Data Impact**: Attackers can access, modify, or delete any data accessible to the Python process.β¦
π **Threshold**: **LOW**. <br>π« **Auth**: **No authentication required** (PR:N). <br>π **Access**: Requires only **HTTP access** to the server. <br>π― **Complexity**: Low (AC:L).
Q6Is there a public Exp? (PoC/Wild Exploitation)
π£ **Public Exploit**: **YES**. <br>π **PoC**: Available via **Nuclei Templates** (projectdiscovery). <br>β‘ **Status**: Exploitation is straightforward using base64-encoded Python code injection.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for the `/exec-py` endpoint in the `ai/testing` module. <br>π‘ **Tooling**: Use **Nuclei** with the specific CVE-2026-33057 template to detect vulnerable instances.β¦
π οΈ **Fixed**: **YES**. <br>π **Patch**: Refer to the official GitHub commit `825f559` and the security advisory **GHSA-gjgx-rvqr-6w6v**. <br>β **Action**: Upgrade to a version newer than 1.2.2 immediately.
Q9What if no patch? (Workaround)
π§ **No Patch?**: **Block external access** to the `/exec-py` endpoint via firewall rules. <br>π **Mitigation**: Disable the `ai/testing` module if not strictly needed for development.β¦
π₯ **Urgency**: **CRITICAL**. <br>π **CVSS**: **9.8** (High). <br>β±οΈ **Priority**: **Immediate Action Required**. <br>π **Reason**: Unauthenticated RCE with public PoCs makes this a high-priority target for attackers.