CVE-2026-29075
CRITICAL WAF: Medium
CVSS 9.8
Published: 2026-03-06
CWE-94
Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has been patched via commit c35b8cd.
WAF Coverage Analysis
Code Injection
Medium WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| mesa_project | mesa | up to 3.5.0 |
References
- github.com (Patch)
- github.com (Vendor Advisory, Mitigation)