VulnerableCode Package Details - pkg:pypi/nicegui@3.7.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-6jca-vw6d-ubdp Aliases: CVE-2026-33332 GHSA-w5g8-5849-vj76	NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.	3.9.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-wgp7-za8k-bqaq Aliases: CVE-2026-27156 GHSA-78qv-3mpx-9cqq	NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.	3.8.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-yjjx-r1vh-d3gn Aliases: CVE-2026-39844 GHSA-w8wv-vfpc-hw2w	NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.	3.10.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-6jca-vw6d-ubdp
Aliases:
CVE-2026-33332
GHSA-w5g8-5849-vj76

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.

3.9.0
Affected by 1 other vulnerability.

VCID-wgp7-za8k-bqaq
Aliases:
CVE-2026-27156
GHSA-78qv-3mpx-9cqq

NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.

3.8.0
Affected by 2 other vulnerabilities.

VCID-yjjx-r1vh-d3gn
Aliases:
CVE-2026-39844
GHSA-w8wv-vfpc-hw2w

NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.

3.10.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:57:27.888197+00:00	GitLab Importer	Affected by	VCID-yjjx-r1vh-d3gn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2026-39844.yml	38.6.0
2026-06-12T21:32:51.860150+00:00	GitLab Importer	Affected by	VCID-6jca-vw6d-ubdp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2026-33332.yml	38.6.0
2026-06-12T21:04:39.735554+00:00	GitLab Importer	Affected by	VCID-wgp7-za8k-bqaq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2026-27156.yml	38.6.0
2026-06-11T20:38:18.381473+00:00	GHSA Importer	Affected by	VCID-wgp7-za8k-bqaq	https://github.com/advisories/GHSA-78qv-3mpx-9cqq	38.6.0