Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/nicegui@3.8.0
Typepypi
Namespace
Namenicegui
Version3.8.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.10.0
Latest_non_vulnerable_version3.12.0
Affected_by_vulnerabilities
0
url VCID-a4cq-3qf6-z7hv
vulnerability_id VCID-a4cq-3qf6-z7hv
summary 
NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
### Summary

The upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses `PurePosixPath(filename).name` to strip path components. Since `PurePosixPath` only recognizes forward slashes (`/`) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (`\`) in the upload filename.

Applications that construct file paths using `file.name` (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows.

### Details

The sanitization in `nicegui/elements/upload_files.py` uses:

```python
filename = PurePosixPath(upload.filename or '').name
```

`PurePosixPath` treats backslashes as literal characters, not path separators:

```python
>>> PurePosixPath('..\\..\\secret\\evil.txt').name
'..\\..\\secret\\evil.txt'  # Not stripped!
```

When this filename is used in a path operation on Windows (e.g., `Path('uploads') / file.name`), Windows `Path` interprets backslashes as directory separators, resolving the path outside the intended directory.

### Impact

On Windows deployments of NiceGUI applications that use `file.name` in path construction:

- **Arbitrary file write** outside the intended upload directory
- **Potential remote code execution** through overwriting application files or placing executables in known locations
- **Data integrity loss** through overwriting existing files

Linux and macOS are not affected, as they treat backslashes as literal filename characters.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-39844
reference_id
reference_type
scores
0
value 0.00064
scoring_system epss
scoring_elements 0.19967
published_at 2026-06-08T12:55:00Z
1
value 0.00064
scoring_system epss
scoring_elements 0.20033
published_at 2026-06-07T12:55:00Z
2
value 0.00064
scoring_system epss
scoring_elements 0.20072
published_at 2026-06-06T12:55:00Z
3
value 0.00064
scoring_system epss
scoring_elements 0.20077
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-39844
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/
url https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056
3
reference_url https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/
url https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0
4
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-39844
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-39844
6
reference_url https://github.com/advisories/GHSA-w8wv-vfpc-hw2w
reference_id GHSA-w8wv-vfpc-hw2w
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w8wv-vfpc-hw2w
fixed_packages
0
url pkg:pypi/nicegui@3.10.0
purl pkg:pypi/nicegui@3.10.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.10.0
aliases CVE-2026-39844, GHSA-w8wv-vfpc-hw2w
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a4cq-3qf6-z7hv
1
url VCID-ztpy-m9yn-ukb4
vulnerability_id VCID-ztpy-m9yn-ukb4
summary 
NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion
## Summary

NiceGUI's `app.add_media_file()` and `app.add_media_files()` media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once.

With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service.

## Impact

**Affected applications:** NiceGUI applications that serve media content via `app.add_media_file()` or `app.add_media_files()`, particularly those serving large files (video, audio).

**What an attacker can do:**
- Force the server to load entire files into memory instead of streaming them in chunks
- Amplify memory usage with concurrent requests to large media files
- Cause performance degradation, memory pressure, and potential OOM conditions

**Attack difficulty:** Low - requires only a crafted query parameter.

## Remediation

Upgrade to a patched version of NiceGUI.

As a workaround, restrict access to media endpoints or strip unexpected query parameters at a reverse proxy layer.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33332
reference_id
reference_type
scores
0
value 0.0004
scoring_system epss
scoring_elements 0.12497
published_at 2026-06-07T12:55:00Z
1
value 0.0004
scoring_system epss
scoring_elements 0.12414
published_at 2026-06-08T12:55:00Z
2
value 0.0004
scoring_system epss
scoring_elements 0.12534
published_at 2026-06-06T12:55:00Z
3
value 0.0004
scoring_system epss
scoring_elements 0.12532
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33332
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/
url https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b
3
reference_url https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/
url https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0
4
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33332
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33332
6
reference_url https://github.com/advisories/GHSA-w5g8-5849-vj76
reference_id GHSA-w5g8-5849-vj76
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w5g8-5849-vj76
fixed_packages
0
url pkg:pypi/nicegui@3.9.0
purl pkg:pypi/nicegui@3.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a4cq-3qf6-z7hv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.9.0
aliases CVE-2026-33332, GHSA-w5g8-5849-vj76
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ztpy-m9yn-ukb4
Fixing_vulnerabilities
0
url VCID-1p1q-5q27-euha
vulnerability_id VCID-1p1q-5q27-euha
summary 
NiceGUI vulnerable to XSS via Code Injection during client-side element function execution
Several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser.

Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27156
reference_id
reference_type
scores
0
value 0.00047
scoring_system epss
scoring_elements 0.14881
published_at 2026-06-08T12:55:00Z
1
value 0.00047
scoring_system epss
scoring_elements 0.14963
published_at 2026-06-07T12:55:00Z
2
value 0.00047
scoring_system epss
scoring_elements 0.15004
published_at 2026-06-06T12:55:00Z
3
value 0.00047
scoring_system epss
scoring_elements 0.15007
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27156
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T21:06:43Z/
url https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27156
reference_id CVE-2026-27156
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27156
4
reference_url https://github.com/advisories/GHSA-78qv-3mpx-9cqq
reference_id GHSA-78qv-3mpx-9cqq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-78qv-3mpx-9cqq
5
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq
reference_id GHSA-78qv-3mpx-9cqq
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T21:06:43Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq
fixed_packages
0
url pkg:pypi/nicegui@3.8.0
purl pkg:pypi/nicegui@3.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a4cq-3qf6-z7hv
1
vulnerability VCID-ztpy-m9yn-ukb4
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.8.0
aliases CVE-2026-27156, GHSA-78qv-3mpx-9cqq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1p1q-5q27-euha
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.8.0