Lookup for vulnerable packages by Package URL.
| Purl | pkg:pypi/nicegui@0.2.11 |
|---|
| Type | pypi |
|---|
| Namespace | |
|---|
| Name | nicegui |
|---|
| Version | 0.2.11 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 3.7.0 |
|---|
| Latest_non_vulnerable_version | 3.7.0 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-fwyg-jtwk-kkbh |
| vulnerability_id |
VCID-fwyg-jtwk-kkbh |
| summary |
NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-25732, GHSA-9ffm-fxg3-xrhh, PYSEC-2026-95
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fwyg-jtwk-kkbh |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@0.2.11 |
|---|