{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T06:02:12.657","vulnerabilities":[{"cve":{"id":"CVE-2025-30358","sourceIdentifier":"security-advisories@github.com","published":"2025-03-27T15:16:02.297","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Mesop is a Python-based UI framework that allows users to build web applications. A class pollution vulnerability in Mesop prior to version 0.14.1 allows attackers to overwrite global variables and class attributes in certain Mesop modules during runtime. This vulnerability could directly lead to a denial of service (DoS) attack against the server. Additionally, it could also result in other severe consequences given the application's implementation, such as identity confusion, where an attacker could impersonate an assistant or system role within conversations. This impersonation could potentially enable jailbreak attacks when interacting with large language models (LLMs). Just like the Javascript's prototype pollution, this vulnerability could leave a way for attackers to manipulate the intended data-flow or control-flow of the application at runtime and lead to severe consequences like remote code execution when gadgets are available. Users should upgrade to version 0.14.1 to obtain a fix for the issue."},{"lang":"es","value":"Mesop es un framework de interfaz de usuario basado en Python que permite a los usuarios crear aplicaciones web. Una vulnerabilidad de contaminación de clases en Mesop, antes de la versión 0.14.1, permite a los atacantes sobrescribir variables globales y atributos de clase en ciertos módulos de Mesop durante la ejecución. Esta vulnerabilidad podría provocar un ataque de denegación de servicio (DoS) contra el servidor. Además, podría tener otras consecuencias graves debido a la implementación de la aplicación, como la confusión de identidad, donde un atacante podría suplantar la identidad de un asistente o un rol del sistema en las conversaciones. Esta suplantación podría permitir ataques de jailbreak al interactuar con grandes modelos de lenguaje (LLM). Al igual que la contaminación del prototipo de Javascript, esta vulnerabilidad podría permitir a los atacantes manipular el flujo de datos o el flujo de control previstos de la aplicación durante la ejecución, lo que podría tener consecuencias graves, como la ejecución remota de código cuando haya gadgets disponibles. Los usuarios deben actualizar a la versión 0.14.1 para obtener una solución."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-915"}]}],"references":[{"url":"https://github.com/mesop-dev/mesop/commit/748e20d4a363d89b841d62213f5b0c6b4bed788f","source":"security-advisories@github.com"},{"url":"https://github.com/mesop-dev/mesop/security/advisories/GHSA-f3mf-hm6v-jfhh","source":"security-advisories@github.com"}]}}]}