Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/74231?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/74231?format=api", "purl": "pkg:pypi/nicegui@3.8.0", "type": "pypi", "namespace": "", "name": "nicegui", "version": "3.8.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.10.0", "latest_non_vulnerable_version": "3.12.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89263?format=api", "vulnerability_id": "VCID-a4cq-3qf6-z7hv", "summary": "NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows\n### Summary\n\nThe upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses `PurePosixPath(filename).name` to strip path components. Since `PurePosixPath` only recognizes forward slashes (`/`) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (`\\`) in the upload filename.\n\nApplications that construct file paths using `file.name` (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows.\n\n### Details\n\nThe sanitization in `nicegui/elements/upload_files.py` uses:\n\n```python\nfilename = PurePosixPath(upload.filename or '').name\n```\n\n`PurePosixPath` treats backslashes as literal characters, not path separators:\n\n```python\n>>> PurePosixPath('..\\\\..\\\\secret\\\\evil.txt').name\n'..\\\\..\\\\secret\\\\evil.txt' # Not stripped!\n```\n\nWhen this filename is used in a path operation on Windows (e.g., `Path('uploads') / file.name`), Windows `Path` interprets backslashes as directory separators, resolving the path outside the intended directory.\n\n### Impact\n\nOn Windows deployments of NiceGUI applications that use `file.name` in path construction:\n\n- **Arbitrary file write** outside the intended upload directory\n- **Potential remote code execution** through overwriting application files or placing executables in known locations\n- **Data integrity loss** through overwriting existing files\n\nLinux and macOS are not affected, as they treat backslashes as literal filename characters.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39844", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.19967", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20033", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20072", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20077", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39844" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056" }, { "reference_url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/" } ], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39844", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39844" }, { "reference_url": "https://github.com/advisories/GHSA-w8wv-vfpc-hw2w", "reference_id": "GHSA-w8wv-vfpc-hw2w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w8wv-vfpc-hw2w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110304?format=api", "purl": "pkg:pypi/nicegui@3.10.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.10.0" } ], "aliases": [ "CVE-2026-39844", "GHSA-w8wv-vfpc-hw2w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a4cq-3qf6-z7hv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91860?format=api", "vulnerability_id": "VCID-ztpy-m9yn-ukb4", "summary": "NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion\n## Summary\n\nNiceGUI's `app.add_media_file()` and `app.add_media_files()` media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once.\n\nWith large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service.\n\n## Impact\n\n**Affected applications:** NiceGUI applications that serve media content via `app.add_media_file()` or `app.add_media_files()`, particularly those serving large files (video, audio).\n\n**What an attacker can do:**\n- Force the server to load entire files into memory instead of streaming them in chunks\n- Amplify memory usage with concurrent requests to large media files\n- Cause performance degradation, memory pressure, and potential OOM conditions\n\n**Attack difficulty:** Low - requires only a crafted query parameter.\n\n## Remediation\n\nUpgrade to a patched version of NiceGUI.\n\nAs a workaround, restrict access to media endpoints or strip unexpected query parameters at a reverse proxy layer.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33332", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12497", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12414", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12534", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12532", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33332" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b" }, { "reference_url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/" } ], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33332", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33332" }, { "reference_url": "https://github.com/advisories/GHSA-w5g8-5849-vj76", "reference_id": "GHSA-w5g8-5849-vj76", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w5g8-5849-vj76" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114352?format=api", "purl": "pkg:pypi/nicegui@3.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a4cq-3qf6-z7hv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.9.0" } ], "aliases": [ "CVE-2026-33332", "GHSA-w5g8-5849-vj76" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ztpy-m9yn-ukb4" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50342?format=api", "vulnerability_id": "VCID-1p1q-5q27-euha", "summary": "NiceGUI vulnerable to XSS via Code Injection during client-side element function execution\nSeveral NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser.\n\nAdditionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27156", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14881", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14963", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15004", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15007", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27156" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T21:06:43Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27156", "reference_id": "CVE-2026-27156", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27156" }, { "reference_url": "https://github.com/advisories/GHSA-78qv-3mpx-9cqq", "reference_id": "GHSA-78qv-3mpx-9cqq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-78qv-3mpx-9cqq" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq", "reference_id": "GHSA-78qv-3mpx-9cqq", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T21:06:43Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74231?format=api", "purl": "pkg:pypi/nicegui@3.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a4cq-3qf6-z7hv" }, { "vulnerability": "VCID-ztpy-m9yn-ukb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.8.0" } ], "aliases": [ "CVE-2026-27156", "GHSA-78qv-3mpx-9cqq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1p1q-5q27-euha" } ], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.8.0" }