GHSA-gjgx-rvqr-6w6v: Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py
criticalvulnerability
security
Summary
Mesop contains a critical vulnerability in its testing module where a `/exec-py` route accepts Python code without any authentication checks and executes it directly on the server. This allows anyone who can send an HTTP request to the endpoint to run arbitrary commands on the machine hosting the application, a flaw known as unauthenticated remote code execution (RCE, where an attacker runs commands on a system they don't own).
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
March 18, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
MITRE ATLAS (AI/ML Threat Technique)
Affected Vendors
Google
Affected Packages
mesop@<= 1.2.2 (fixed: 1.2.3)
Related Issues
Original source: https://github.com/advisories/GHSA-gjgx-rvqr-6w6v
First tracked: March 18, 2026 at 04:59 PM
Classified by LLM (prompt v3) · confidence: 95%