Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/47343?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/47343?format=api", "purl": "pkg:pypi/nicegui@0.8.10", "type": "pypi", "namespace": "", "name": "nicegui", "version": "0.8.10", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.10.0", "latest_non_vulnerable_version": "3.12.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50342?format=api", "vulnerability_id": "VCID-1p1q-5q27-euha", "summary": "NiceGUI vulnerable to XSS via Code Injection during client-side element function execution\nSeveral NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser.\n\nAdditionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27156", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15007", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27156" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T21:06:43Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27156", "reference_id": "CVE-2026-27156", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27156" }, { "reference_url": "https://github.com/advisories/GHSA-78qv-3mpx-9cqq", "reference_id": "GHSA-78qv-3mpx-9cqq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-78qv-3mpx-9cqq" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq", "reference_id": "GHSA-78qv-3mpx-9cqq", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T21:06:43Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74231?format=api", "purl": "pkg:pypi/nicegui@3.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a4cq-3qf6-z7hv" }, { "vulnerability": "VCID-ztpy-m9yn-ukb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.8.0" } ], "aliases": [ "CVE-2026-27156", "GHSA-78qv-3mpx-9cqq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1p1q-5q27-euha" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56434?format=api", "vulnerability_id": "VCID-21u4-fgck-mye1", "summary": "NiceGUI On Air authentication issue\nOnce a user logins to one browser, all other browsers are logged in without entering password. Even incognito mode.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-21618", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38468", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-21618" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T16:47:23Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21618", "reference_id": "CVE-2025-21618", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21618" }, { "reference_url": "https://github.com/advisories/GHSA-v6jv-p6r8-j78w", "reference_id": "GHSA-v6jv-p6r8-j78w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v6jv-p6r8-j78w" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w", "reference_id": "GHSA-v6jv-p6r8-j78w", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T16:47:23Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47492?format=api", "purl": "pkg:pypi/nicegui@2.9.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p1q-5q27-euha" }, { "vulnerability": "VCID-2kbx-8xs3-p3gs" }, { "vulnerability": "VCID-3hyc-h7ym-y7c9" }, { "vulnerability": "VCID-4btp-8pnj-rbgj" }, { "vulnerability": "VCID-a4cq-3qf6-z7hv" }, { "vulnerability": "VCID-dgqv-w1gf-qqby" }, { "vulnerability": "VCID-fwyg-jtwk-kkbh" }, { "vulnerability": "VCID-uz4k-r9c3-y3ea" }, { "vulnerability": "VCID-ztpy-m9yn-ukb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@2.9.1" } ], "aliases": [ "CVE-2025-21618", "GHSA-v6jv-p6r8-j78w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-21u4-fgck-mye1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50018?format=api", "vulnerability_id": "VCID-2kbx-8xs3-p3gs", "summary": "NiceGUI's XSS vulnerability in ui.markdown() allows arbitrary JavaScript execution through unsanitized HTML content\nThe `ui.markdown()` component uses the `markdown2` library to convert markdown content to HTML, which is then rendered via `innerHTML`. By default, `markdown2` allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through `ui.markdown()`, an attacker can inject malicious HTML containing JavaScript event handlers.\n\nUnlike other NiceGUI components that render HTML (`ui.html()`, `ui.chat_message()`, `ui.interactive_image()`), the `ui.markdown()` component does not provide or require a `sanitize` parameter, leaving applications vulnerable to XSS attacks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25516", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06028", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25516" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:19:21Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25516", "reference_id": "CVE-2026-25516", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25516" }, { "reference_url": "https://github.com/advisories/GHSA-v82v-c5x8-w282", "reference_id": "GHSA-v82v-c5x8-w282", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v82v-c5x8-w282" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282", "reference_id": "GHSA-v82v-c5x8-w282", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:19:21Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47536?format=api", "purl": "pkg:pypi/nicegui@3.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p1q-5q27-euha" }, { "vulnerability": "VCID-a4cq-3qf6-z7hv" }, { "vulnerability": "VCID-ztpy-m9yn-ukb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.7.0" } ], "aliases": [ "CVE-2026-25516", "GHSA-v82v-c5x8-w282" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2kbx-8xs3-p3gs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49367?format=api", "vulnerability_id": "VCID-3hyc-h7ym-y7c9", "summary": "NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content\nA Cross-Site Scripting (XSS) vulnerability exists in the `ui.interactive_image` component of NiceGUI (v3.3.1 and earlier). The component renders SVG content using Vue's `v-html` directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG `<foreignObject>` tag.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66470", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01236", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66470" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:17:55Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66470", "reference_id": "CVE-2025-66470", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66470" }, { "reference_url": "https://github.com/advisories/GHSA-2m4f-cg75-76w2", "reference_id": "GHSA-2m4f-cg75-76w2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2m4f-cg75-76w2" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2", "reference_id": "GHSA-2m4f-cg75-76w2", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:17:55Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47531?format=api", "purl": "pkg:pypi/nicegui@3.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p1q-5q27-euha" }, { "vulnerability": "VCID-2kbx-8xs3-p3gs" }, { "vulnerability": "VCID-a4cq-3qf6-z7hv" }, { "vulnerability": "VCID-en8b-9bda-x7cb" }, { "vulnerability": "VCID-fwyg-jtwk-kkbh" }, { "vulnerability": "VCID-hham-33zx-wyhj" }, { "vulnerability": "VCID-huge-nmx8-2qb5" }, { "vulnerability": "VCID-r9bg-bs31-q3gu" }, { "vulnerability": "VCID-ztpy-m9yn-ukb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.4.0" } ], "aliases": [ "CVE-2025-66470", "GHSA-2m4f-cg75-76w2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3hyc-h7ym-y7c9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49385?format=api", "vulnerability_id": "VCID-4btp-8pnj-rbgj", "summary": "NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read\nA directory traversal vulnerability in NiceGUI's `App.add_media_files()` allows a remote attacker to read arbitrary files on the server filesystem.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66645", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00755", "scoring_system": "epss", "scoring_elements": "0.73642", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66645" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/a1b89e2a24e1911a40389ace2153a37f4eea92a9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-10T16:14:20Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/a1b89e2a24e1911a40389ace2153a37f4eea92a9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66645", "reference_id": "CVE-2025-66645", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66645" }, { "reference_url": "https://github.com/advisories/GHSA-hxp3-63hc-5366", "reference_id": "GHSA-hxp3-63hc-5366", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hxp3-63hc-5366" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-hxp3-63hc-5366", "reference_id": "GHSA-hxp3-63hc-5366", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-10T16:14:20Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-hxp3-63hc-5366" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47531?format=api", "purl": "pkg:pypi/nicegui@3.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p1q-5q27-euha" }, { "vulnerability": "VCID-2kbx-8xs3-p3gs" }, { "vulnerability": "VCID-a4cq-3qf6-z7hv" }, { "vulnerability": "VCID-en8b-9bda-x7cb" }, { "vulnerability": "VCID-fwyg-jtwk-kkbh" }, { "vulnerability": "VCID-hham-33zx-wyhj" }, { "vulnerability": "VCID-huge-nmx8-2qb5" }, { "vulnerability": "VCID-r9bg-bs31-q3gu" }, { "vulnerability": "VCID-ztpy-m9yn-ukb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.4.0" } ], "aliases": [ "CVE-2025-66645", "GHSA-hxp3-63hc-5366" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4btp-8pnj-rbgj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89263?format=api", "vulnerability_id": "VCID-a4cq-3qf6-z7hv", "summary": "NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows\n### Summary\n\nThe upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses `PurePosixPath(filename).name` to strip path components. Since `PurePosixPath` only recognizes forward slashes (`/`) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (`\\`) in the upload filename.\n\nApplications that construct file paths using `file.name` (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows.\n\n### Details\n\nThe sanitization in `nicegui/elements/upload_files.py` uses:\n\n```python\nfilename = PurePosixPath(upload.filename or '').name\n```\n\n`PurePosixPath` treats backslashes as literal characters, not path separators:\n\n```python\n>>> PurePosixPath('..\\\\..\\\\secret\\\\evil.txt').name\n'..\\\\..\\\\secret\\\\evil.txt' # Not stripped!\n```\n\nWhen this filename is used in a path operation on Windows (e.g., `Path('uploads') / file.name`), Windows `Path` interprets backslashes as directory separators, resolving the path outside the intended directory.\n\n### Impact\n\nOn Windows deployments of NiceGUI applications that use `file.name` in path construction:\n\n- **Arbitrary file write** outside the intended upload directory\n- **Potential remote code execution** through overwriting application files or placing executables in known locations\n- **Data integrity loss** through overwriting existing files\n\nLinux and macOS are not affected, as they treat backslashes as literal filename characters.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39844", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20077", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39844" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056" }, { "reference_url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/" } ], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39844", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39844" }, { "reference_url": "https://github.com/advisories/GHSA-w8wv-vfpc-hw2w", "reference_id": "GHSA-w8wv-vfpc-hw2w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w8wv-vfpc-hw2w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110304?format=api", "purl": "pkg:pypi/nicegui@3.10.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.10.0" } ], "aliases": [ "CVE-2026-39844", "GHSA-w8wv-vfpc-hw2w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a4cq-3qf6-z7hv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49369?format=api", "vulnerability_id": "VCID-dgqv-w1gf-qqby", "summary": "NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection\nA Cross-Site Scripting (XSS) vulnerability exists in `ui.add_css`, `ui.add_scss`, and `ui.add_sass` functions in NiceGUI (v3.3.1 and earlier).\n\nThese functions allow developers to inject styles dynamically. However, they lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended `<style>` or `<script>` tags by injecting closing tags (e.g., `</style>` or `</script>`), allowing for the execution of arbitrary JavaScript.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66469", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13274", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66469" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:18:04Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66469", "reference_id": "CVE-2025-66469", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66469" }, { "reference_url": "https://github.com/advisories/GHSA-72qc-wxch-74mg", "reference_id": "GHSA-72qc-wxch-74mg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-72qc-wxch-74mg" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg", "reference_id": "GHSA-72qc-wxch-74mg", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:18:04Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47531?format=api", "purl": "pkg:pypi/nicegui@3.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p1q-5q27-euha" }, { "vulnerability": "VCID-2kbx-8xs3-p3gs" }, { "vulnerability": "VCID-a4cq-3qf6-z7hv" }, { "vulnerability": "VCID-en8b-9bda-x7cb" }, { "vulnerability": "VCID-fwyg-jtwk-kkbh" }, { "vulnerability": "VCID-hham-33zx-wyhj" }, { "vulnerability": "VCID-huge-nmx8-2qb5" }, { "vulnerability": "VCID-r9bg-bs31-q3gu" }, { "vulnerability": "VCID-ztpy-m9yn-ukb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.4.0" } ], "aliases": [ "CVE-2025-66469", "GHSA-72qc-wxch-74mg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dgqv-w1gf-qqby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37204?format=api", "vulnerability_id": "VCID-fwyg-jtwk-kkbh", "summary": "NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25732", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01382", "scoring_system": "epss", "scoring_elements": "0.80663", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25732" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/" } ], "url": "https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115" }, { "reference_url": "https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/" } ], "url": "https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52534.py", "reference_id": "CVE-2026-25732", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52534.py" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25732", "reference_id": "CVE-2026-25732", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25732" }, { "reference_url": "https://github.com/advisories/GHSA-9ffm-fxg3-xrhh", "reference_id": "GHSA-9ffm-fxg3-xrhh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9ffm-fxg3-xrhh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47536?format=api", "purl": "pkg:pypi/nicegui@3.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p1q-5q27-euha" }, { "vulnerability": "VCID-a4cq-3qf6-z7hv" }, { "vulnerability": "VCID-ztpy-m9yn-ukb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.7.0" } ], "aliases": [ "CVE-2026-25732", "GHSA-9ffm-fxg3-xrhh", "PYSEC-2026-95" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fwyg-jtwk-kkbh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47932?format=api", "vulnerability_id": "VCID-uz4k-r9c3-y3ea", "summary": "NiceGUI has a Reflected XSS\nA Cross-Site Scripting (XSS) risk exists in NiceGUI when developers render unescaped user input into the DOM using `ui.html()`. Before version 3.0, NiceGUI does not enforce HTML or JavaScript sanitization, so applications that directly combine components like `ui.input()` with `ui.html()` without escaping may allow attackers to execute arbitrary JavaScript in the user’s browser. Same holds for `ui.chat_message` with HTML content.\n\nApplications that directly reflect user input via `ui.html()` (or `ui.chat_message` in HTML mode) are affected. This may lead to client-side code execution (e.g., session hijacking or phishing). Applications that do not pass untrusted input into ui.html() are not affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53354", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07318", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53354" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/4673dc35c94a0c7339e2164378b0977332e60775", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-03T19:41:55Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/4673dc35c94a0c7339e2164378b0977332e60775" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53354", "reference_id": "CVE-2025-53354", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53354" }, { "reference_url": "https://github.com/advisories/GHSA-8c95-hpq2-w46f", "reference_id": "GHSA-8c95-hpq2-w46f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8c95-hpq2-w46f" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-8c95-hpq2-w46f", "reference_id": "GHSA-8c95-hpq2-w46f", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-03T19:41:55Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-8c95-hpq2-w46f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47522?format=api", "purl": "pkg:pypi/nicegui@3.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1p1q-5q27-euha" }, { "vulnerability": "VCID-2kbx-8xs3-p3gs" }, { "vulnerability": "VCID-3hyc-h7ym-y7c9" }, { "vulnerability": "VCID-4btp-8pnj-rbgj" }, { "vulnerability": "VCID-a4cq-3qf6-z7hv" }, { "vulnerability": "VCID-dgqv-w1gf-qqby" }, { "vulnerability": "VCID-en8b-9bda-x7cb" }, { "vulnerability": "VCID-fwyg-jtwk-kkbh" }, { "vulnerability": "VCID-hham-33zx-wyhj" }, { "vulnerability": "VCID-huge-nmx8-2qb5" }, { "vulnerability": "VCID-r9bg-bs31-q3gu" }, { "vulnerability": "VCID-ztpy-m9yn-ukb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.0.0" } ], "aliases": [ "CVE-2025-53354", "GHSA-8c95-hpq2-w46f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uz4k-r9c3-y3ea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91860?format=api", "vulnerability_id": "VCID-ztpy-m9yn-ukb4", "summary": "NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion\n## Summary\n\nNiceGUI's `app.add_media_file()` and `app.add_media_files()` media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once.\n\nWith large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service.\n\n## Impact\n\n**Affected applications:** NiceGUI applications that serve media content via `app.add_media_file()` or `app.add_media_files()`, particularly those serving large files (video, audio).\n\n**What an attacker can do:**\n- Force the server to load entire files into memory instead of streaming them in chunks\n- Amplify memory usage with concurrent requests to large media files\n- Cause performance degradation, memory pressure, and potential OOM conditions\n\n**Attack difficulty:** Low - requires only a crafted query parameter.\n\n## Remediation\n\nUpgrade to a patched version of NiceGUI.\n\nAs a workaround, restrict access to media endpoints or strip unexpected query parameters at a reverse proxy layer.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33332", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12532", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33332" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b" }, { "reference_url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/" } ], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33332", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33332" }, { "reference_url": "https://github.com/advisories/GHSA-w5g8-5849-vj76", "reference_id": "GHSA-w5g8-5849-vj76", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w5g8-5849-vj76" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114352?format=api", "purl": "pkg:pypi/nicegui@3.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a4cq-3qf6-z7hv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.9.0" } ], "aliases": [ "CVE-2026-33332", "GHSA-w5g8-5849-vj76" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ztpy-m9yn-ukb4" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@0.8.10" }