VulnerableCode Package Details - pkg:pypi/nicegui@3.7.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2kbx-8xs3-p3gs	NiceGUI's XSS vulnerability in ui.markdown() allows arbitrary JavaScript execution through unsanitized HTML content The `ui.markdown()` component uses the `markdown2` library to convert markdown content to HTML, which is then rendered via `innerHTML`. By default, `markdown2` allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through `ui.markdown()`, an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (`ui.html()`, `ui.chat_message()`, `ui.interactive_image()`), the `ui.markdown()` component does not provide or require a `sanitize` parameter, leaving applications vulnerable to XSS attacks.	CVE-2026-25516 GHSA-v82v-c5x8-w282
VCID-fwyg-jtwk-kkbh	NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.	CVE-2026-25732 GHSA-9ffm-fxg3-xrhh PYSEC-2026-95

Vulnerability

Summary

Aliases

VCID-2kbx-8xs3-p3gs

NiceGUI's XSS vulnerability in ui.markdown() allows arbitrary JavaScript execution through unsanitized HTML content The `ui.markdown()` component uses the `markdown2` library to convert markdown content to HTML, which is then rendered via `innerHTML`. By default, `markdown2` allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through `ui.markdown()`, an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (`ui.html()`, `ui.chat_message()`, `ui.interactive_image()`), the `ui.markdown()` component does not provide or require a `sanitize` parameter, leaving applications vulnerable to XSS attacks.

CVE-2026-25516
GHSA-v82v-c5x8-w282

VCID-fwyg-jtwk-kkbh

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.

CVE-2026-25732
GHSA-9ffm-fxg3-xrhh
PYSEC-2026-95

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:49:58.473951+00:00	GitLab Importer	Fixing	VCID-fwyg-jtwk-kkbh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2026-25732.yml	38.6.0
2026-06-02T04:49:58.208234+00:00	GitLab Importer	Fixing	VCID-2kbx-8xs3-p3gs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2026-25516.yml	38.6.0
2026-06-02T04:23:52.847366+00:00	Pypa Importer	Fixing	VCID-fwyg-jtwk-kkbh	https://github.com/pypa/advisory-database/blob/main/vulns/nicegui/PYSEC-2026-95.yaml	38.6.0