Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/nicegui@3.5.0
purl pkg:pypi/nicegui@3.5.0
Next non-vulnerable version 3.7.0
Latest non-vulnerable version 3.8.0
Risk 4.0
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-gk7h-2cu9-2uhm
Aliases:
CVE-2026-25732
GHSA-9ffm-fxg3-xrhh
PYSEC-2026-95
NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.
3.7.0
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (4)
Vulnerability Summary Aliases
VCID-f3yg-vbeb-9qgr NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS An unsafe implementation in the `pushstate` event listener used by `ui.sub_pages` allows an attacker to manipulate the fragment identifier of the URL, which _they can do despite being cross-site, using an iframe_. CVE-2026-21873
GHSA-mhpg-c27v-6mxr
VCID-grbn-3vxr-rqds NiceGUI has Redis connection leak via tab storage causes service degradation An unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. **NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality.** CVE-2026-21874
GHSA-mp55-g7pj-rvm2
VCID-xv1m-pvjj-mfhn NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links An unsafe implementation in the `click` event listener used by `ui.sub_pages`, combined with attacker-controlled link rendering on the page, causes an XSS when the user actively clicks on the link. CVE-2026-21872
GHSA-m7j5-rq9j-6jj9
VCID-ztch-92ab-gue7 NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace() XSS risk exists in NiceGUI when developers pass attacker-controlled strings into `ui.navigate.history.push()` or `ui.navigate.history.replace()`. These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. **Applications that do not pass untrusted input into `ui.navigate.history.push/replace` are not affected.** CVE-2026-21871
GHSA-7grm-h62g-5m97

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-31T10:53:09.681683+00:00 GithubOSV Importer Fixing VCID-xv1m-pvjj-mfhn https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-m7j5-rq9j-6jj9/GHSA-m7j5-rq9j-6jj9.json 38.6.0
2026-05-31T10:53:03.850017+00:00 GithubOSV Importer Fixing VCID-f3yg-vbeb-9qgr https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-mhpg-c27v-6mxr/GHSA-mhpg-c27v-6mxr.json 38.6.0
2026-05-31T10:53:01.783626+00:00 GithubOSV Importer Fixing VCID-ztch-92ab-gue7 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7grm-h62g-5m97/GHSA-7grm-h62g-5m97.json 38.6.0
2026-05-31T10:52:51.133823+00:00 GithubOSV Importer Fixing VCID-grbn-3vxr-rqds https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-mp55-g7pj-rvm2/GHSA-mp55-g7pj-rvm2.json 38.6.0
2026-05-31T09:47:23.058711+00:00 PyPI Importer Affected by VCID-gk7h-2cu9-2uhm https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.6.0
2026-05-31T01:06:27.975558+00:00 GHSA Importer Fixing VCID-grbn-3vxr-rqds https://github.com/advisories/GHSA-mp55-g7pj-rvm2 38.6.0
2026-05-31T01:06:27.934838+00:00 GHSA Importer Fixing VCID-f3yg-vbeb-9qgr https://github.com/advisories/GHSA-mhpg-c27v-6mxr 38.6.0
2026-05-31T01:06:27.896994+00:00 GHSA Importer Fixing VCID-xv1m-pvjj-mfhn https://github.com/advisories/GHSA-m7j5-rq9j-6jj9 38.6.0
2026-05-31T01:06:27.859602+00:00 GHSA Importer Fixing VCID-ztch-92ab-gue7 https://github.com/advisories/GHSA-7grm-h62g-5m97 38.6.0
2026-05-30T21:05:48.730808+00:00 GitLab Importer Fixing VCID-grbn-3vxr-rqds https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2026-21874.yml 38.6.0
2026-05-30T21:05:48.538473+00:00 GitLab Importer Fixing VCID-ztch-92ab-gue7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2026-21871.yml 38.6.0
2026-05-30T21:05:48.125713+00:00 GitLab Importer Fixing VCID-f3yg-vbeb-9qgr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2026-21873.yml 38.6.0
2026-05-30T21:05:47.205298+00:00 GitLab Importer Fixing VCID-xv1m-pvjj-mfhn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2026-21872.yml 38.6.0
2026-05-30T20:37:12.727485+00:00 Pypa Importer Affected by VCID-gk7h-2cu9-2uhm https://github.com/pypa/advisory-database/blob/main/vulns/nicegui/PYSEC-2026-95.yaml 38.6.0