Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/nicegui@2.22.0
Typepypi
Namespace
Namenicegui
Version2.22.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.7.0
Latest_non_vulnerable_version3.12.0
Affected_by_vulnerabilities
0
url VCID-f3yg-vbeb-9qgr
vulnerability_id VCID-f3yg-vbeb-9qgr
summary 
NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS
An unsafe implementation in the `pushstate` event listener used by `ui.sub_pages` allows an attacker to manipulate the fragment identifier of the URL, which _they can do despite being cross-site, using an iframe_.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-21873
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.06069
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-21873
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T15:11:07Z/
url https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-21873
reference_id CVE-2026-21873
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-21873
4
reference_url https://github.com/advisories/GHSA-mhpg-c27v-6mxr
reference_id GHSA-mhpg-c27v-6mxr
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mhpg-c27v-6mxr
5
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxr
reference_id GHSA-mhpg-c27v-6mxr
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T15:11:07Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxr
fixed_packages
0
url pkg:pypi/nicegui@3.5.0
purl pkg:pypi/nicegui@3.5.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gk7h-2cu9-2uhm
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.5.0
aliases CVE-2026-21873, GHSA-mhpg-c27v-6mxr
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f3yg-vbeb-9qgr
1
url VCID-gk7h-2cu9-2uhm
vulnerability_id VCID-gk7h-2cu9-2uhm
summary NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25732
reference_id
reference_type
scores
0
value 0.01382
scoring_system epss
scoring_elements 0.80612
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25732
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/
url https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115
3
reference_url https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/
url https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82
4
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh
5
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52534.py
reference_id CVE-2026-25732
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52534.py
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25732
reference_id CVE-2026-25732
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25732
7
reference_url https://github.com/advisories/GHSA-9ffm-fxg3-xrhh
reference_id GHSA-9ffm-fxg3-xrhh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9ffm-fxg3-xrhh
fixed_packages
0
url pkg:pypi/nicegui@3.7.0
purl pkg:pypi/nicegui@3.7.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.7.0
aliases CVE-2026-25732, GHSA-9ffm-fxg3-xrhh, PYSEC-2026-95
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gk7h-2cu9-2uhm
2
url VCID-xv1m-pvjj-mfhn
vulnerability_id VCID-xv1m-pvjj-mfhn
summary 
NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links
An unsafe implementation in the `click` event listener used by `ui.sub_pages`, combined with attacker-controlled link rendering on the page, causes an XSS when the user actively clicks on the link.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-21872
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.06069
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-21872
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T15:12:53Z/
url https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-21872
reference_id CVE-2026-21872
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-21872
4
reference_url https://github.com/advisories/GHSA-m7j5-rq9j-6jj9
reference_id GHSA-m7j5-rq9j-6jj9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m7j5-rq9j-6jj9
5
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9
reference_id GHSA-m7j5-rq9j-6jj9
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T15:12:53Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9
fixed_packages
0
url pkg:pypi/nicegui@3.5.0
purl pkg:pypi/nicegui@3.5.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gk7h-2cu9-2uhm
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.5.0
aliases CVE-2026-21872, GHSA-m7j5-rq9j-6jj9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xv1m-pvjj-mfhn
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@2.22.0