Unrated severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026

Mesa: Checking out of untrusted code in `benchmarks.yml` workflow may lead to code execution in privileged runner

CVE-2026-29075

Description

Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has been patched via commit c35b8cd.

Affected products

Mesa3d/Mesallm-fuzzy
Range: <=3.5.0
mesa/mesav5
Range: <= 3.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/mesa/mesa/commit/c35b8cd67fc89dd680ae218e49b77f6e1ee07a27mitrex_refsource_MISC
github.com/mesa/mesa/security/advisories/GHSA-3j55-5q6x-2h48mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000