Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/nicegui@0.7.19
Typepypi
Namespace
Namenicegui
Version0.7.19
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.10.0
Latest_non_vulnerable_version3.12.0
Affected_by_vulnerabilities
0
url VCID-3tv5-etjd-q3hr
vulnerability_id VCID-3tv5-etjd-q3hr
summary NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-66469
reference_id
reference_type
scores
0
value 0.00042
scoring_system epss
scoring_elements 0.13381
published_at 2026-06-12T12:55:00Z
1
value 0.00042
scoring_system epss
scoring_elements 0.13274
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-66469
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8
reference_id a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:18:04Z/
url https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-66469
reference_id CVE-2025-66469
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-66469
4
reference_url https://github.com/advisories/GHSA-72qc-wxch-74mg
reference_id GHSA-72qc-wxch-74mg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-72qc-wxch-74mg
5
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg
reference_id GHSA-72qc-wxch-74mg
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:18:04Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg
fixed_packages
0
url pkg:pypi/nicegui@3.4.0
purl pkg:pypi/nicegui@3.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4bwj-5kq4-nfas
1
vulnerability VCID-6jca-vw6d-ubdp
2
vulnerability VCID-77re-u8ec-8qdx
3
vulnerability VCID-9r69-v46g-nbea
4
vulnerability VCID-ch7g-e8bv-mkck
5
vulnerability VCID-cw8a-xpmx-kfh9
6
vulnerability VCID-m48n-q2g3-4fgd
7
vulnerability VCID-wgp7-za8k-bqaq
8
vulnerability VCID-yjjx-r1vh-d3gn
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.4.0
aliases CVE-2025-66469, GHSA-72qc-wxch-74mg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3tv5-etjd-q3hr
1
url VCID-6jca-vw6d-ubdp
vulnerability_id VCID-6jca-vw6d-ubdp
summary NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33332
reference_id
reference_type
scores
0
value 0.0004
scoring_system epss
scoring_elements 0.12524
published_at 2026-06-11T12:55:00Z
1
value 0.0004
scoring_system epss
scoring_elements 0.12617
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33332
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33332
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33332
3
reference_url https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b
reference_id 9026962b8c4f3f225c98b2fbc35aa6b60cb3495b
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/
url https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b
4
reference_url https://github.com/advisories/GHSA-w5g8-5849-vj76
reference_id GHSA-w5g8-5849-vj76
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w5g8-5849-vj76
5
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76
reference_id GHSA-w5g8-5849-vj76
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76
6
reference_url https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0
reference_id v3.9.0
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/
url https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0
fixed_packages
0
url pkg:pypi/nicegui@3.9.0
purl pkg:pypi/nicegui@3.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-yjjx-r1vh-d3gn
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.9.0
aliases CVE-2026-33332, GHSA-w5g8-5849-vj76
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6jca-vw6d-ubdp
2
url VCID-94cg-b1b8-f3ag
vulnerability_id VCID-94cg-b1b8-f3ag
summary NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting (XSS) when developers render unescaped user input into the DOM using ui.html(). NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.input() with ui.html() or ui.chat_message with HTML content without escaping may allow attackers to execute arbitrary JavaScript in the user’s browser. Applications that do not pass untrusted input into ui.html() are not affected. This issue is fixed in version 3.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-53354
reference_id
reference_type
scores
0
value 0.00027
scoring_system epss
scoring_elements 0.08045
published_at 2026-06-12T12:55:00Z
1
value 0.00027
scoring_system epss
scoring_elements 0.0801
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-53354
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://github.com/zauberzeug/nicegui/commit/4673dc35c94a0c7339e2164378b0977332e60775
reference_id 4673dc35c94a0c7339e2164378b0977332e60775
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-03T19:41:55Z/
url https://github.com/zauberzeug/nicegui/commit/4673dc35c94a0c7339e2164378b0977332e60775
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-53354
reference_id CVE-2025-53354
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-53354
4
reference_url https://github.com/advisories/GHSA-8c95-hpq2-w46f
reference_id GHSA-8c95-hpq2-w46f
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8c95-hpq2-w46f
5
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-8c95-hpq2-w46f
reference_id GHSA-8c95-hpq2-w46f
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-03T19:41:55Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-8c95-hpq2-w46f
fixed_packages
0
url pkg:pypi/nicegui@3.0.0
purl pkg:pypi/nicegui@3.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3tv5-etjd-q3hr
1
vulnerability VCID-4bwj-5kq4-nfas
2
vulnerability VCID-6jca-vw6d-ubdp
3
vulnerability VCID-77re-u8ec-8qdx
4
vulnerability VCID-9r69-v46g-nbea
5
vulnerability VCID-ch7g-e8bv-mkck
6
vulnerability VCID-cw8a-xpmx-kfh9
7
vulnerability VCID-m48n-q2g3-4fgd
8
vulnerability VCID-mtpf-xq2a-9ubk
9
vulnerability VCID-p7ts-gwhs-bqda
10
vulnerability VCID-wgp7-za8k-bqaq
11
vulnerability VCID-yjjx-r1vh-d3gn
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.0.0
aliases CVE-2025-53354, GHSA-8c95-hpq2-w46f
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-94cg-b1b8-f3ag
3
url VCID-byww-65h7-efcu
vulnerability_id VCID-byww-65h7-efcu
summary NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-21618
reference_id
reference_type
scores
0
value 0.00172
scoring_system epss
scoring_elements 0.38475
published_at 2026-06-11T12:55:00Z
1
value 0.00172
scoring_system epss
scoring_elements 0.38648
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-21618
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-21618
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-21618
3
reference_url https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1
reference_id 1621a4ba6a06676b8094362d36623551e651adc1
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T16:47:23Z/
url https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1
4
reference_url https://github.com/advisories/GHSA-v6jv-p6r8-j78w
reference_id GHSA-v6jv-p6r8-j78w
reference_type
scores
url https://github.com/advisories/GHSA-v6jv-p6r8-j78w
5
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w
reference_id GHSA-v6jv-p6r8-j78w
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T16:47:23Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w
fixed_packages
0
url pkg:pypi/nicegui@2.9.1
purl pkg:pypi/nicegui@2.9.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3tv5-etjd-q3hr
1
vulnerability VCID-6jca-vw6d-ubdp
2
vulnerability VCID-94cg-b1b8-f3ag
3
vulnerability VCID-ch7g-e8bv-mkck
4
vulnerability VCID-cw8a-xpmx-kfh9
5
vulnerability VCID-mtpf-xq2a-9ubk
6
vulnerability VCID-p7ts-gwhs-bqda
7
vulnerability VCID-wgp7-za8k-bqaq
8
vulnerability VCID-yjjx-r1vh-d3gn
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@2.9.1
aliases CVE-2025-21618, GHSA-v6jv-p6r8-j78w
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-byww-65h7-efcu
4
url VCID-ch7g-e8bv-mkck
vulnerability_id VCID-ch7g-e8bv-mkck
summary NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25516
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07564
published_at 2026-06-12T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.07527
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25516
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25516
reference_id CVE-2026-25516
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25516
3
reference_url https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561
reference_id f1f7533577875af7d23f161ed3627f73584cb561
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:19:21Z/
url https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561
4
reference_url https://github.com/advisories/GHSA-v82v-c5x8-w282
reference_id GHSA-v82v-c5x8-w282
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v82v-c5x8-w282
5
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282
reference_id GHSA-v82v-c5x8-w282
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:19:21Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282
fixed_packages
0
url pkg:pypi/nicegui@3.7.0
purl pkg:pypi/nicegui@3.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6jca-vw6d-ubdp
1
vulnerability VCID-wgp7-za8k-bqaq
2
vulnerability VCID-yjjx-r1vh-d3gn
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.7.0
aliases CVE-2026-25516, GHSA-v82v-c5x8-w282
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ch7g-e8bv-mkck
5
url VCID-cw8a-xpmx-kfh9
vulnerability_id VCID-cw8a-xpmx-kfh9
summary NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25732
reference_id
reference_type
scores
0
value 0.01472
scoring_system epss
scoring_elements 0.81414
published_at 2026-06-12T12:55:00Z
1
value 0.01472
scoring_system epss
scoring_elements 0.81353
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25732
1
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/nicegui/PYSEC-2026-95.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/nicegui/PYSEC-2026-95.yaml
2
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
3
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52534.py
reference_id CVE-2026-25732
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52534.py
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25732
reference_id CVE-2026-25732
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25732
5
reference_url https://github.com/advisories/GHSA-9ffm-fxg3-xrhh
reference_id GHSA-9ffm-fxg3-xrhh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9ffm-fxg3-xrhh
6
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh
reference_id GHSA-9ffm-fxg3-xrhh
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh
7
reference_url https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115
reference_id upload_files.py#L110-L115
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/
url https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115
8
reference_url https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82
reference_id upload_files.py#L79-L82
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/
url https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82
fixed_packages
0
url pkg:pypi/nicegui@3.7.0
purl pkg:pypi/nicegui@3.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6jca-vw6d-ubdp
1
vulnerability VCID-wgp7-za8k-bqaq
2
vulnerability VCID-yjjx-r1vh-d3gn
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.7.0
aliases CVE-2026-25732, GHSA-9ffm-fxg3-xrhh, PYSEC-2026-95
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cw8a-xpmx-kfh9
6
url VCID-mtpf-xq2a-9ubk
vulnerability_id VCID-mtpf-xq2a-9ubk
summary NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-66645
reference_id
reference_type
scores
0
value 0.00755
scoring_system epss
scoring_elements 0.73768
published_at 2026-06-12T12:55:00Z
1
value 0.00755
scoring_system epss
scoring_elements 0.73693
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-66645
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://github.com/zauberzeug/nicegui/commit/a1b89e2a24e1911a40389ace2153a37f4eea92a9
reference_id a1b89e2a24e1911a40389ace2153a37f4eea92a9
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-10T16:14:20Z/
url https://github.com/zauberzeug/nicegui/commit/a1b89e2a24e1911a40389ace2153a37f4eea92a9
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-66645
reference_id CVE-2025-66645
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-66645
4
reference_url https://github.com/advisories/GHSA-hxp3-63hc-5366
reference_id GHSA-hxp3-63hc-5366
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hxp3-63hc-5366
5
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-hxp3-63hc-5366
reference_id GHSA-hxp3-63hc-5366
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-10T16:14:20Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-hxp3-63hc-5366
fixed_packages
0
url pkg:pypi/nicegui@3.4.0
purl pkg:pypi/nicegui@3.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4bwj-5kq4-nfas
1
vulnerability VCID-6jca-vw6d-ubdp
2
vulnerability VCID-77re-u8ec-8qdx
3
vulnerability VCID-9r69-v46g-nbea
4
vulnerability VCID-ch7g-e8bv-mkck
5
vulnerability VCID-cw8a-xpmx-kfh9
6
vulnerability VCID-m48n-q2g3-4fgd
7
vulnerability VCID-wgp7-za8k-bqaq
8
vulnerability VCID-yjjx-r1vh-d3gn
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.4.0
aliases CVE-2025-66645, GHSA-hxp3-63hc-5366
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mtpf-xq2a-9ubk
7
url VCID-p7ts-gwhs-bqda
vulnerability_id VCID-p7ts-gwhs-bqda
summary NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactive_image component of NiceGUI. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG <foreignObject> tag whenever the image component is rendered or updated. This is particularly dangerous for dashboards or multi-user applications displaying user-generated content or annotations. This issue is fixed in version 3.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-66470
reference_id
reference_type
scores
0
value 0.0001
scoring_system epss
scoring_elements 0.01235
published_at 2026-06-12T12:55:00Z
1
value 0.0001
scoring_system epss
scoring_elements 0.01238
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-66470
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3
reference_id 58ad0b36e19922de16bbc79ea3ddd29851b1a3e3
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:17:55Z/
url https://github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-66470
reference_id CVE-2025-66470
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-66470
4
reference_url https://github.com/advisories/GHSA-2m4f-cg75-76w2
reference_id GHSA-2m4f-cg75-76w2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2m4f-cg75-76w2
5
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2
reference_id GHSA-2m4f-cg75-76w2
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:17:55Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2
fixed_packages
0
url pkg:pypi/nicegui@3.4.0
purl pkg:pypi/nicegui@3.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4bwj-5kq4-nfas
1
vulnerability VCID-6jca-vw6d-ubdp
2
vulnerability VCID-77re-u8ec-8qdx
3
vulnerability VCID-9r69-v46g-nbea
4
vulnerability VCID-ch7g-e8bv-mkck
5
vulnerability VCID-cw8a-xpmx-kfh9
6
vulnerability VCID-m48n-q2g3-4fgd
7
vulnerability VCID-wgp7-za8k-bqaq
8
vulnerability VCID-yjjx-r1vh-d3gn
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.4.0
aliases CVE-2025-66470, GHSA-2m4f-cg75-76w2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p7ts-gwhs-bqda
8
url VCID-wgp7-za8k-bqaq
vulnerability_id VCID-wgp7-za8k-bqaq
summary NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27156
reference_id
reference_type
scores
0
value 0.00047
scoring_system epss
scoring_elements 0.15121
published_at 2026-06-12T12:55:00Z
1
value 0.00047
scoring_system epss
scoring_elements 0.14998
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27156
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf
reference_id 1861f59cc374ca0dc9d970b157ef3774720f8dbf
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T21:06:43Z/
url https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27156
reference_id CVE-2026-27156
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27156
4
reference_url https://github.com/advisories/GHSA-78qv-3mpx-9cqq
reference_id GHSA-78qv-3mpx-9cqq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-78qv-3mpx-9cqq
5
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq
reference_id GHSA-78qv-3mpx-9cqq
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T21:06:43Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq
fixed_packages
0
url pkg:pypi/nicegui@3.8.0
purl pkg:pypi/nicegui@3.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6jca-vw6d-ubdp
1
vulnerability VCID-yjjx-r1vh-d3gn
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.8.0
aliases CVE-2026-27156, GHSA-78qv-3mpx-9cqq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wgp7-za8k-bqaq
9
url VCID-yjjx-r1vh-d3gn
vulnerability_id VCID-yjjx-r1vh-d3gn
summary NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-39844
reference_id
reference_type
scores
0
value 0.00064
scoring_system epss
scoring_elements 0.20058
published_at 2026-06-11T12:55:00Z
1
value 0.00064
scoring_system epss
scoring_elements 0.20232
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-39844
1
reference_url https://github.com/zauberzeug/nicegui
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/zauberzeug/nicegui
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-39844
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-39844
3
reference_url https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056
reference_id d38a702e3af2da5b0708f689be8d71413fc77056
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/
url https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056
4
reference_url https://github.com/advisories/GHSA-w8wv-vfpc-hw2w
reference_id GHSA-w8wv-vfpc-hw2w
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w8wv-vfpc-hw2w
5
reference_url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w
reference_id GHSA-w8wv-vfpc-hw2w
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/
url https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w
6
reference_url https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0
reference_id v3.10.0
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/
url https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0
fixed_packages
0
url pkg:pypi/nicegui@3.10.0
purl pkg:pypi/nicegui@3.10.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.10.0
aliases CVE-2026-39844, GHSA-w8wv-vfpc-hw2w
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yjjx-r1vh-d3gn
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@0.7.19