CVE-2026-29075 HIGH

CVE-2026-29075: Mesa: Checking out of untrusted code in `benchmarks.yml` workflow may lead to code execution in privileged runner

Vendor Mesa
Product mesa
Weakness CWE-94 · Code injection
Published March 6, 2026
Last update March 9, 2026

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has been patched via commit c35b8cd.

Key dates

02Disclosure timeline

March 6, 2026 CVE published
March 9, 2026 Record updated

Related vulnerabilities

04Related CVE