{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29075", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T20:51:43.483Z", "datePublished": "2026-03-06T16:30:08.146Z", "dateUpdated": "2026-03-09T15:00:07.203Z"}, "containers": {"cna": {"title": "Mesa: Checking out of untrusted code in `benchmarks.yml` workflow may lead to code execution in privileged runner", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/mesa/mesa/security/advisories/GHSA-3j55-5q6x-2h48", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mesa/mesa/security/advisories/GHSA-3j55-5q6x-2h48"}, {"name": "https://github.com/mesa/mesa/commit/c35b8cd67fc89dd680ae218e49b77f6e1ee07a27", "tags": ["x_refsource_MISC"], "url": "https://github.com/mesa/mesa/commit/c35b8cd67fc89dd680ae218e49b77f6e1ee07a27"}], "affected": [{"vendor": "mesa", "product": "mesa", "versions": [{"version": "<= 3.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T16:30:08.146Z"}, "descriptions": [{"lang": "en", "value": "Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has been patched via commit c35b8cd."}], "source": {"advisory": "GHSA-3j55-5q6x-2h48", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T14:59:53.798140Z", "id": "CVE-2026-29075", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T15:00:07.203Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29075", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T14:59:53.798140Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:59:57.569Z"}}], "cna": {"title": "Mesa: Checking out of untrusted code in `benchmarks.yml` workflow may lead to code execution in privileged runner", "source": {"advisory": "GHSA-3j55-5q6x-2h48", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "mesa", "product": "mesa", "versions": [{"status": "affected", "version": "<= 3.5.0"}]}], "references": [{"url": "https://github.com/mesa/mesa/security/advisories/GHSA-3j55-5q6x-2h48", "name": "https://github.com/mesa/mesa/security/advisories/GHSA-3j55-5q6x-2h48", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mesa/mesa/commit/c35b8cd67fc89dd680ae218e49b77f6e1ee07a27", "name": "https://github.com/mesa/mesa/commit/c35b8cd67fc89dd680ae218e49b77f6e1ee07a27", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has been patched via commit c35b8cd."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T16:30:08.146Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29075", "state": "PUBLISHED", "dateUpdated": "2026-03-09T15:00:07.203Z", "dateReserved": "2026-03-03T20:51:43.483Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T16:30:08.146Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mesa_project:mesa:*:*:*:*:*:python:*:*", "matchCriteriaId": "FDC8696B-D702-4572-88EB-AA96A9CD65E7", "versionEndIncluding": "3.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has been patched via commit c35b8cd."}, {"lang": "es", "value": "Mesa es una librer\u00eda Python de c\u00f3digo abierto para modelado basado en agentes, simulando sistemas complejos y explorando comportamientos emergentes. En la versi\u00f3n 3.5.0 y anteriores, la extracci\u00f3n de c\u00f3digo no confiable en el flujo de trabajo benchmarks.yml puede llevar a la ejecuci\u00f3n de c\u00f3digo en un ejecutor privilegiado. Este problema ha sido parcheado a trav\u00e9s del commit c35b8cd."}], "id": "CVE-2026-29075", "lastModified": "2026-03-11T00:21:12.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-06T17:16:34.167", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mesa/mesa/commit/c35b8cd67fc89dd680ae218e49b77f6e1ee07a27"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/mesa/mesa/security/advisories/GHSA-3j55-5q6x-2h48"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.5.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "mesa", "vendor": "mesa"}], "created": "2026-03-09T10:07:19.775122+00:00", "updated": "2026-03-09T10:07:19.775191+00:00", "vendors": ["mesa", "mesa$PRODUCT$mesa"]}