{"url":"http://public2.vulnerablecode.io/api/packages/90006?format=json","purl":"pkg:pypi/nicegui@0.8.16","type":"pypi","namespace":"","name":"nicegui","version":"0.8.16","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.7.0","latest_non_vulnerable_version":"3.12.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105578?format=json","vulnerability_id":"VCID-94cg-b1b8-f3ag","summary":"NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting (XSS) when developers render unescaped user input into the DOM using ui.html(). NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.input() with ui.html() or  ui.chat_message with HTML content without escaping may allow attackers to execute arbitrary JavaScript in the user’s browser. Applications that do not pass untrusted input into ui.html() are not affected. This issue is fixed in version 3.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-53354","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.0801","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-53354"},{"reference_url":"https://github.com/zauberzeug/nicegui","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zauberzeug/nicegui"},{"reference_url":"https://github.com/zauberzeug/nicegui/commit/4673dc35c94a0c7339e2164378b0977332e60775","reference_id":"4673dc35c94a0c7339e2164378b0977332e60775","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-03T19:41:55Z/"}],"url":"https://github.com/zauberzeug/nicegui/commit/4673dc35c94a0c7339e2164378b0977332e60775"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53354","reference_id":"CVE-2025-53354","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53354"},{"reference_url":"https://github.com/advisories/GHSA-8c95-hpq2-w46f","reference_id":"GHSA-8c95-hpq2-w46f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8c95-hpq2-w46f"},{"reference_url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-8c95-hpq2-w46f","reference_id":"GHSA-8c95-hpq2-w46f","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-03T19:41:55Z/"}],"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-8c95-hpq2-w46f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34080?format=json","purl":"pkg:pypi/nicegui@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cw8a-xpmx-kfh9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.0.0"}],"aliases":["CVE-2025-53354","GHSA-8c95-hpq2-w46f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-94cg-b1b8-f3ag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/109933?format=json","vulnerability_id":"VCID-byww-65h7-efcu","summary":"NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-21618","reference_id":"","reference_type":"","scores":[{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.38475","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-21618"},{"reference_url":"https://github.com/zauberzeug/nicegui","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zauberzeug/nicegui"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21618","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21618"},{"reference_url":"https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1","reference_id":"1621a4ba6a06676b8094362d36623551e651adc1","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T16:47:23Z/"}],"url":"https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1"},{"reference_url":"https://github.com/advisories/GHSA-v6jv-p6r8-j78w","reference_id":"GHSA-v6jv-p6r8-j78w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v6jv-p6r8-j78w"},{"reference_url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w","reference_id":"GHSA-v6jv-p6r8-j78w","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T16:47:23Z/"}],"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/90147?format=json","purl":"pkg:pypi/nicegui@2.9.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-94cg-b1b8-f3ag"},{"vulnerability":"VCID-cw8a-xpmx-kfh9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@2.9.1"}],"aliases":["CVE-2025-21618","GHSA-v6jv-p6r8-j78w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-byww-65h7-efcu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65933?format=json","vulnerability_id":"VCID-cw8a-xpmx-kfh9","summary":"NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25732","reference_id":"","reference_type":"","scores":[{"value":"0.01472","scoring_system":"epss","scoring_elements":"0.81353","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25732"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nicegui/PYSEC-2026-95.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nicegui/PYSEC-2026-95.yaml"},{"reference_url":"https://github.com/zauberzeug/nicegui","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zauberzeug/nicegui"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52534.py","reference_id":"CVE-2026-25732","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52534.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25732","reference_id":"CVE-2026-25732","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25732"},{"reference_url":"https://github.com/advisories/GHSA-9ffm-fxg3-xrhh","reference_id":"GHSA-9ffm-fxg3-xrhh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9ffm-fxg3-xrhh"},{"reference_url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh","reference_id":"GHSA-9ffm-fxg3-xrhh","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/"}],"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh"},{"reference_url":"https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115","reference_id":"upload_files.py#L110-L115","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/"}],"url":"https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115"},{"reference_url":"https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82","reference_id":"upload_files.py#L79-L82","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/"}],"url":"https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38782?format=json","purl":"pkg:pypi/nicegui@3.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.7.0"}],"aliases":["CVE-2026-25732","GHSA-9ffm-fxg3-xrhh","PYSEC-2026-95"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cw8a-xpmx-kfh9"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@0.8.16"}