CVE-2026-29075
- Source
- https://cve.org/CVERecord?id=CVE-2026-29075
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29075.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-29075
- Aliases
-
- GHSA-3j55-5q6x-2h48
- Published
- 2026-03-06T16:30:08.146Z
- Modified
- 2026-04-10T05:42:26.424268Z
- Severity
-
- 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- Mesa: Checking out of untrusted code in `benchmarks.yml` workflow may lead to code execution in privileged runner
- Details
-
Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has been patched via commit c35b8cd.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-94" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29075.json" }- References
Affected packages
Git / github.com/mesa/mesa
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mesa/mesa
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.6.0
v0.6.5
v0.6.5.1
v0.6.6
v0.7.6
v0.7.8
v0.7.8.1
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.9
v0.9.0
v1.*
v1.0.0
v1.1.0
v1.2.0
v1.2.1
v2.*
v2.0.0
v2.0.1
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.2.0
v2.2.1
v2.2.5
v2.3.0
v2.3.0-rc1
v3.*
v3.0.0
v3.0.0a0
v3.0.0a1
v3.0.0a2
v3.0.0a3
v3.0.0a4
v3.0.0a5
v3.0.0b0
v3.0.0b1
v3.0.0b2
v3.0.0rc0
v3.0.1
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.2.0
v3.3.0
v3.4.0
v3.4.1
v3.5.0
v3.5.0b0