Search for packages
| purl | pkg:pypi/nicegui@0.4.13 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-fwyg-jtwk-kkbh
Aliases: CVE-2026-25732 GHSA-9ffm-fxg3-xrhh PYSEC-2026-95 |
NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-02T04:23:51.621023+00:00 | Pypa Importer | Affected by | VCID-fwyg-jtwk-kkbh | https://github.com/pypa/advisory-database/blob/main/vulns/nicegui/PYSEC-2026-95.yaml | 38.6.0 |