Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/nicegui@1.4.21
Typepypi
Namespace
Namenicegui
Version1.4.21
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.7.0
Latest_non_vulnerable_version3.7.0
Affected_by_vulnerabilities
0
url VCID-fwyg-jtwk-kkbh
vulnerability_id VCID-fwyg-jtwk-kkbh
summary NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.
references
0
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
url https://github.com/zauberzeug/nicegui
1
reference_url https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115
2
reference_url https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82
3
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25732
reference_id CVE-2026-25732
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-25732
5
reference_url https://github.com/advisories/GHSA-9ffm-fxg3-xrhh
reference_id GHSA-9ffm-fxg3-xrhh
reference_type
scores
url https://github.com/advisories/GHSA-9ffm-fxg3-xrhh
fixed_packages
0
url pkg:pypi/nicegui@3.7.0
purl pkg:pypi/nicegui@3.7.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.7.0
aliases CVE-2026-25732, GHSA-9ffm-fxg3-xrhh, PYSEC-2026-95
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fwyg-jtwk-kkbh
Fixing_vulnerabilities
0
url VCID-yru8-rc3x-4uad
vulnerability_id VCID-yru8-rc3x-4uad
summary 
NiceGUI allows potential access to local file system
NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key}/{path:path}` route.

As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website.

This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
url https://github.com/zauberzeug/nicegui
1
reference_url https://github.com/zauberzeug/nicegui/commit/ed12eb14f2a6c48b388a05c04b3c5a107ea9d330
reference_id
reference_type
scores
url https://github.com/zauberzeug/nicegui/commit/ed12eb14f2a6c48b388a05c04b3c5a107ea9d330
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-32005
reference_id CVE-2024-32005
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-32005
3
reference_url https://github.com/advisories/GHSA-mwc7-64wg-pgvj
reference_id GHSA-mwc7-64wg-pgvj
reference_type
scores
url https://github.com/advisories/GHSA-mwc7-64wg-pgvj
4
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mwc7-64wg-pgvj
reference_id GHSA-mwc7-64wg-pgvj
reference_type
scores
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mwc7-64wg-pgvj
fixed_packages
0
url pkg:pypi/nicegui@1.4.21
purl pkg:pypi/nicegui@1.4.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-fwyg-jtwk-kkbh
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@1.4.21
aliases CVE-2024-32005, GHSA-mwc7-64wg-pgvj
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yru8-rc3x-4uad
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@1.4.21