VulnerableCode Package Details - pkg:pypi/nicegui@3.4.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-fwyg-jtwk-kkbh Aliases: CVE-2026-25732 GHSA-9ffm-fxg3-xrhh PYSEC-2026-95	NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.	3.7.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-fwyg-jtwk-kkbh
Aliases:
CVE-2026-25732
GHSA-9ffm-fxg3-xrhh
PYSEC-2026-95

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.

3.7.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3hyc-h7ym-y7c9	NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content A Cross-Site Scripting (XSS) vulnerability exists in the `ui.interactive_image` component of NiceGUI (v3.3.1 and earlier). The component renders SVG content using Vue's `v-html` directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG `<foreignObject>` tag.	CVE-2025-66470 GHSA-2m4f-cg75-76w2
VCID-4btp-8pnj-rbgj	NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read A directory traversal vulnerability in NiceGUI's `App.add_media_files()` allows a remote attacker to read arbitrary files on the server filesystem.	CVE-2025-66645 GHSA-hxp3-63hc-5366
VCID-dgqv-w1gf-qqby	NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection A Cross-Site Scripting (XSS) vulnerability exists in `ui.add_css`, `ui.add_scss`, and `ui.add_sass` functions in NiceGUI (v3.3.1 and earlier). These functions allow developers to inject styles dynamically. However, they lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended `<style>` or `<script>` tags by injecting closing tags (e.g., `</style>` or `</script>`), allowing for the execution of arbitrary JavaScript.	CVE-2025-66469 GHSA-72qc-wxch-74mg

Vulnerability

Summary

Aliases

VCID-3hyc-h7ym-y7c9

NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content A Cross-Site Scripting (XSS) vulnerability exists in the `ui.interactive_image` component of NiceGUI (v3.3.1 and earlier). The component renders SVG content using Vue's `v-html` directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG `<foreignObject>` tag.

CVE-2025-66470
GHSA-2m4f-cg75-76w2

VCID-4btp-8pnj-rbgj

NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read A directory traversal vulnerability in NiceGUI's `App.add_media_files()` allows a remote attacker to read arbitrary files on the server filesystem.

CVE-2025-66645
GHSA-hxp3-63hc-5366

VCID-dgqv-w1gf-qqby

NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection A Cross-Site Scripting (XSS) vulnerability exists in `ui.add_css`, `ui.add_scss`, and `ui.add_sass` functions in NiceGUI (v3.3.1 and earlier). These functions allow developers to inject styles dynamically. However, they lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended `<style>` or `<script>` tags by injecting closing tags (e.g., `</style>` or `</script>`), allowing for the execution of arbitrary JavaScript.

CVE-2025-66469
GHSA-72qc-wxch-74mg

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:49:07.009532+00:00	GitLab Importer	Fixing	VCID-4btp-8pnj-rbgj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2025-66645.yml	38.6.0
2026-06-02T04:49:05.860832+00:00	GitLab Importer	Fixing	VCID-dgqv-w1gf-qqby	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2025-66469.yml	38.6.0
2026-06-02T04:49:05.764540+00:00	GitLab Importer	Fixing	VCID-3hyc-h7ym-y7c9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2025-66470.yml	38.6.0
2026-06-02T04:23:52.822797+00:00	Pypa Importer	Affected by	VCID-fwyg-jtwk-kkbh	https://github.com/pypa/advisory-database/blob/main/vulns/nicegui/PYSEC-2026-95.yaml	38.6.0