Search for packages
| purl | pkg:pypi/nicegui@2.22.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-f3yg-vbeb-9qgr
Aliases: CVE-2026-21873 GHSA-mhpg-c27v-6mxr |
NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS An unsafe implementation in the `pushstate` event listener used by `ui.sub_pages` allows an attacker to manipulate the fragment identifier of the URL, which _they can do despite being cross-site, using an iframe_. |
Affected by 1 other vulnerability. |
|
VCID-gk7h-2cu9-2uhm
Aliases: CVE-2026-25732 GHSA-9ffm-fxg3-xrhh PYSEC-2026-95 |
NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0. |
Affected by 0 other vulnerabilities. |
|
VCID-xv1m-pvjj-mfhn
Aliases: CVE-2026-21872 GHSA-m7j5-rq9j-6jj9 |
NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links An unsafe implementation in the `click` event listener used by `ui.sub_pages`, combined with attacker-controlled link rendering on the page, causes an XSS when the user actively clicks on the link. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||