Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/89979?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/89979?format=api", "purl": "pkg:pypi/nicegui@0.7.19", "type": "pypi", "namespace": "", "name": "nicegui", "version": "0.7.19", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.10.0", "latest_non_vulnerable_version": "3.12.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94962?format=api", "vulnerability_id": "VCID-3tv5-etjd-q3hr", "summary": "NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66469", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13381", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13274", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66469" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8", "reference_id": "a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:18:04Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66469", "reference_id": "CVE-2025-66469", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66469" }, { "reference_url": "https://github.com/advisories/GHSA-72qc-wxch-74mg", "reference_id": "GHSA-72qc-wxch-74mg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-72qc-wxch-74mg" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg", "reference_id": "GHSA-72qc-wxch-74mg", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:18:04Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35916?format=api", "purl": "pkg:pypi/nicegui@3.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4bwj-5kq4-nfas" }, { "vulnerability": "VCID-6jca-vw6d-ubdp" }, { "vulnerability": "VCID-77re-u8ec-8qdx" }, { "vulnerability": "VCID-9r69-v46g-nbea" }, { "vulnerability": "VCID-ch7g-e8bv-mkck" }, { "vulnerability": "VCID-cw8a-xpmx-kfh9" }, { "vulnerability": "VCID-m48n-q2g3-4fgd" }, { "vulnerability": "VCID-wgp7-za8k-bqaq" }, { "vulnerability": "VCID-yjjx-r1vh-d3gn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.4.0" } ], "aliases": [ "CVE-2025-66469", "GHSA-72qc-wxch-74mg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3tv5-etjd-q3hr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77904?format=api", "vulnerability_id": "VCID-6jca-vw6d-ubdp", "summary": "NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33332", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12524", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12617", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33332" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33332", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33332" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b", "reference_id": "9026962b8c4f3f225c98b2fbc35aa6b60cb3495b", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b" }, { "reference_url": "https://github.com/advisories/GHSA-w5g8-5849-vj76", "reference_id": "GHSA-w5g8-5849-vj76", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w5g8-5849-vj76" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76", "reference_id": "GHSA-w5g8-5849-vj76", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76" }, { "reference_url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0", "reference_id": "v3.9.0", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/" } ], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375278?format=api", "purl": "pkg:pypi/nicegui@3.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-yjjx-r1vh-d3gn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.9.0" } ], "aliases": [ "CVE-2026-33332", "GHSA-w5g8-5849-vj76" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6jca-vw6d-ubdp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/105578?format=api", "vulnerability_id": "VCID-94cg-b1b8-f3ag", "summary": "NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting (XSS) when developers render unescaped user input into the DOM using ui.html(). NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.input() with ui.html() or ui.chat_message with HTML content without escaping may allow attackers to execute arbitrary JavaScript in the user’s browser. Applications that do not pass untrusted input into ui.html() are not affected. This issue is fixed in version 3.0.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53354", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08045", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.0801", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53354" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/4673dc35c94a0c7339e2164378b0977332e60775", "reference_id": "4673dc35c94a0c7339e2164378b0977332e60775", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-03T19:41:55Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/4673dc35c94a0c7339e2164378b0977332e60775" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53354", "reference_id": "CVE-2025-53354", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53354" }, { "reference_url": "https://github.com/advisories/GHSA-8c95-hpq2-w46f", "reference_id": "GHSA-8c95-hpq2-w46f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8c95-hpq2-w46f" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-8c95-hpq2-w46f", "reference_id": "GHSA-8c95-hpq2-w46f", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-03T19:41:55Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-8c95-hpq2-w46f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34080?format=api", "purl": "pkg:pypi/nicegui@3.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3tv5-etjd-q3hr" }, { "vulnerability": "VCID-4bwj-5kq4-nfas" }, { "vulnerability": "VCID-6jca-vw6d-ubdp" }, { "vulnerability": "VCID-77re-u8ec-8qdx" }, { "vulnerability": "VCID-9r69-v46g-nbea" }, { "vulnerability": "VCID-ch7g-e8bv-mkck" }, { "vulnerability": "VCID-cw8a-xpmx-kfh9" }, { "vulnerability": "VCID-m48n-q2g3-4fgd" }, { "vulnerability": "VCID-mtpf-xq2a-9ubk" }, { "vulnerability": "VCID-p7ts-gwhs-bqda" }, { "vulnerability": "VCID-wgp7-za8k-bqaq" }, { "vulnerability": "VCID-yjjx-r1vh-d3gn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.0.0" } ], "aliases": [ "CVE-2025-53354", "GHSA-8c95-hpq2-w46f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-94cg-b1b8-f3ag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/109933?format=api", "vulnerability_id": "VCID-byww-65h7-efcu", "summary": "NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-21618", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38475", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38648", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-21618" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21618", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21618" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1", "reference_id": "1621a4ba6a06676b8094362d36623551e651adc1", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T16:47:23Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1" }, { "reference_url": "https://github.com/advisories/GHSA-v6jv-p6r8-j78w", "reference_id": "GHSA-v6jv-p6r8-j78w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v6jv-p6r8-j78w" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w", "reference_id": "GHSA-v6jv-p6r8-j78w", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T16:47:23Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/90147?format=api", "purl": "pkg:pypi/nicegui@2.9.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3tv5-etjd-q3hr" }, { "vulnerability": "VCID-6jca-vw6d-ubdp" }, { "vulnerability": "VCID-94cg-b1b8-f3ag" }, { "vulnerability": "VCID-ch7g-e8bv-mkck" }, { "vulnerability": "VCID-cw8a-xpmx-kfh9" }, { "vulnerability": "VCID-mtpf-xq2a-9ubk" }, { "vulnerability": "VCID-p7ts-gwhs-bqda" }, { "vulnerability": "VCID-wgp7-za8k-bqaq" }, { "vulnerability": "VCID-yjjx-r1vh-d3gn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@2.9.1" } ], "aliases": [ "CVE-2025-21618", "GHSA-v6jv-p6r8-j78w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-byww-65h7-efcu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66172?format=api", "vulnerability_id": "VCID-ch7g-e8bv-mkck", "summary": "NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25516", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07564", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07527", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25516" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25516", "reference_id": "CVE-2026-25516", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25516" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561", "reference_id": "f1f7533577875af7d23f161ed3627f73584cb561", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:19:21Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561" }, { "reference_url": "https://github.com/advisories/GHSA-v82v-c5x8-w282", "reference_id": "GHSA-v82v-c5x8-w282", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v82v-c5x8-w282" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282", "reference_id": "GHSA-v82v-c5x8-w282", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:19:21Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38782?format=api", "purl": "pkg:pypi/nicegui@3.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6jca-vw6d-ubdp" }, { "vulnerability": "VCID-wgp7-za8k-bqaq" }, { "vulnerability": "VCID-yjjx-r1vh-d3gn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.7.0" } ], "aliases": [ "CVE-2026-25516", "GHSA-v82v-c5x8-w282" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ch7g-e8bv-mkck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65933?format=api", "vulnerability_id": "VCID-cw8a-xpmx-kfh9", "summary": "NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25732", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01472", "scoring_system": "epss", "scoring_elements": "0.81414", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01472", "scoring_system": "epss", "scoring_elements": "0.81353", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25732" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/nicegui/PYSEC-2026-95.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nicegui/PYSEC-2026-95.yaml" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52534.py", "reference_id": "CVE-2026-25732", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52534.py" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25732", "reference_id": "CVE-2026-25732", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25732" }, { "reference_url": "https://github.com/advisories/GHSA-9ffm-fxg3-xrhh", "reference_id": "GHSA-9ffm-fxg3-xrhh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9ffm-fxg3-xrhh" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh", "reference_id": "GHSA-9ffm-fxg3-xrhh", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh" }, { "reference_url": "https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115", "reference_id": "upload_files.py#L110-L115", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/" } ], "url": "https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115" }, { "reference_url": "https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82", "reference_id": "upload_files.py#L79-L82", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/" } ], "url": "https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38782?format=api", "purl": "pkg:pypi/nicegui@3.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6jca-vw6d-ubdp" }, { "vulnerability": "VCID-wgp7-za8k-bqaq" }, { "vulnerability": "VCID-yjjx-r1vh-d3gn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.7.0" } ], "aliases": [ "CVE-2026-25732", "GHSA-9ffm-fxg3-xrhh", "PYSEC-2026-95" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cw8a-xpmx-kfh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94600?format=api", "vulnerability_id": "VCID-mtpf-xq2a-9ubk", "summary": "NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66645", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00755", "scoring_system": "epss", "scoring_elements": "0.73768", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00755", "scoring_system": "epss", "scoring_elements": "0.73693", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66645" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/a1b89e2a24e1911a40389ace2153a37f4eea92a9", "reference_id": "a1b89e2a24e1911a40389ace2153a37f4eea92a9", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-10T16:14:20Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/a1b89e2a24e1911a40389ace2153a37f4eea92a9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66645", "reference_id": "CVE-2025-66645", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66645" }, { "reference_url": "https://github.com/advisories/GHSA-hxp3-63hc-5366", "reference_id": "GHSA-hxp3-63hc-5366", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hxp3-63hc-5366" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-hxp3-63hc-5366", "reference_id": "GHSA-hxp3-63hc-5366", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-10T16:14:20Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-hxp3-63hc-5366" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35916?format=api", "purl": "pkg:pypi/nicegui@3.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4bwj-5kq4-nfas" }, { "vulnerability": "VCID-6jca-vw6d-ubdp" }, { "vulnerability": "VCID-77re-u8ec-8qdx" }, { "vulnerability": "VCID-9r69-v46g-nbea" }, { "vulnerability": "VCID-ch7g-e8bv-mkck" }, { "vulnerability": "VCID-cw8a-xpmx-kfh9" }, { "vulnerability": "VCID-m48n-q2g3-4fgd" }, { "vulnerability": "VCID-wgp7-za8k-bqaq" }, { "vulnerability": "VCID-yjjx-r1vh-d3gn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.4.0" } ], "aliases": [ "CVE-2025-66645", "GHSA-hxp3-63hc-5366" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mtpf-xq2a-9ubk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94752?format=api", "vulnerability_id": "VCID-p7ts-gwhs-bqda", "summary": "NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactive_image component of NiceGUI. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG <foreignObject> tag whenever the image component is rendered or updated. This is particularly dangerous for dashboards or multi-user applications displaying user-generated content or annotations. This issue is fixed in version 3.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66470", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01235", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01238", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66470" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3", "reference_id": "58ad0b36e19922de16bbc79ea3ddd29851b1a3e3", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:17:55Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66470", "reference_id": "CVE-2025-66470", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66470" }, { "reference_url": "https://github.com/advisories/GHSA-2m4f-cg75-76w2", "reference_id": "GHSA-2m4f-cg75-76w2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2m4f-cg75-76w2" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2", "reference_id": "GHSA-2m4f-cg75-76w2", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:17:55Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35916?format=api", "purl": "pkg:pypi/nicegui@3.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4bwj-5kq4-nfas" }, { "vulnerability": "VCID-6jca-vw6d-ubdp" }, { "vulnerability": "VCID-77re-u8ec-8qdx" }, { "vulnerability": "VCID-9r69-v46g-nbea" }, { "vulnerability": "VCID-ch7g-e8bv-mkck" }, { "vulnerability": "VCID-cw8a-xpmx-kfh9" }, { "vulnerability": "VCID-m48n-q2g3-4fgd" }, { "vulnerability": "VCID-wgp7-za8k-bqaq" }, { "vulnerability": "VCID-yjjx-r1vh-d3gn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.4.0" } ], "aliases": [ "CVE-2025-66470", "GHSA-2m4f-cg75-76w2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p7ts-gwhs-bqda" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80155?format=api", "vulnerability_id": "VCID-wgp7-za8k-bqaq", "summary": "NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27156", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15121", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14998", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27156" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf", "reference_id": "1861f59cc374ca0dc9d970b157ef3774720f8dbf", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T21:06:43Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27156", "reference_id": "CVE-2026-27156", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27156" }, { "reference_url": "https://github.com/advisories/GHSA-78qv-3mpx-9cqq", "reference_id": "GHSA-78qv-3mpx-9cqq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-78qv-3mpx-9cqq" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq", "reference_id": "GHSA-78qv-3mpx-9cqq", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T21:06:43Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39769?format=api", "purl": "pkg:pypi/nicegui@3.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6jca-vw6d-ubdp" }, { "vulnerability": "VCID-yjjx-r1vh-d3gn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.8.0" } ], "aliases": [ "CVE-2026-27156", "GHSA-78qv-3mpx-9cqq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wgp7-za8k-bqaq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/73172?format=api", "vulnerability_id": "VCID-yjjx-r1vh-d3gn", "summary": "NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39844", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20058", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20232", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39844" }, { "reference_url": "https://github.com/zauberzeug/nicegui", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zauberzeug/nicegui" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39844", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39844" }, { "reference_url": "https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056", "reference_id": "d38a702e3af2da5b0708f689be8d71413fc77056", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/" } ], "url": "https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056" }, { "reference_url": "https://github.com/advisories/GHSA-w8wv-vfpc-hw2w", "reference_id": "GHSA-w8wv-vfpc-hw2w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w8wv-vfpc-hw2w" }, { "reference_url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w", "reference_id": "GHSA-w8wv-vfpc-hw2w", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/" } ], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w" }, { "reference_url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0", "reference_id": "v3.10.0", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/" } ], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373553?format=api", "purl": "pkg:pypi/nicegui@3.10.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.10.0" } ], "aliases": [ "CVE-2026-39844", "GHSA-w8wv-vfpc-hw2w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yjjx-r1vh-d3gn" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@0.7.19" }