{"url":"http://public2.vulnerablecode.io/api/packages/90121?format=json","purl":"pkg:pypi/nicegui@1.4.22","type":"pypi","namespace":"","name":"nicegui","version":"1.4.22","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.10.0","latest_non_vulnerable_version":"3.12.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/94962?format=json","vulnerability_id":"VCID-3tv5-etjd-q3hr","summary":"NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66469","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13381","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13274","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66469"},{"reference_url":"https://github.com/zauberzeug/nicegui","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zauberzeug/nicegui"},{"reference_url":"https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8","reference_id":"a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:18:04Z/"}],"url":"https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66469","reference_id":"CVE-2025-66469","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66469"},{"reference_url":"https://github.com/advisories/GHSA-72qc-wxch-74mg","reference_id":"GHSA-72qc-wxch-74mg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-72qc-wxch-74mg"},{"reference_url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg","reference_id":"GHSA-72qc-wxch-74mg","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:18:04Z/"}],"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35916?format=json","purl":"pkg:pypi/nicegui@3.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4bwj-5kq4-nfas"},{"vulnerability":"VCID-6jca-vw6d-ubdp"},{"vulnerability":"VCID-77re-u8ec-8qdx"},{"vulnerability":"VCID-9r69-v46g-nbea"},{"vulnerability":"VCID-ch7g-e8bv-mkck"},{"vulnerability":"VCID-cw8a-xpmx-kfh9"},{"vulnerability":"VCID-m48n-q2g3-4fgd"},{"vulnerability":"VCID-wgp7-za8k-bqaq"},{"vulnerability":"VCID-yjjx-r1vh-d3gn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.4.0"}],"aliases":["CVE-2025-66469","GHSA-72qc-wxch-74mg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3tv5-etjd-q3hr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77904?format=json","vulnerability_id":"VCID-6jca-vw6d-ubdp","summary":"NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33332","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12524","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12617","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33332"},{"reference_url":"https://github.com/zauberzeug/nicegui","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zauberzeug/nicegui"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33332","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33332"},{"reference_url":"https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b","reference_id":"9026962b8c4f3f225c98b2fbc35aa6b60cb3495b","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/"}],"url":"https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b"},{"reference_url":"https://github.com/advisories/GHSA-w5g8-5849-vj76","reference_id":"GHSA-w5g8-5849-vj76","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w5g8-5849-vj76"},{"reference_url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76","reference_id":"GHSA-w5g8-5849-vj76","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/"}],"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76"},{"reference_url":"https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0","reference_id":"v3.9.0","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T16:19:01Z/"}],"url":"https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375278?format=json","purl":"pkg:pypi/nicegui@3.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-yjjx-r1vh-d3gn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.9.0"}],"aliases":["CVE-2026-33332","GHSA-w5g8-5849-vj76"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6jca-vw6d-ubdp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105578?format=json","vulnerability_id":"VCID-94cg-b1b8-f3ag","summary":"NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting (XSS) when developers render unescaped user input into the DOM using ui.html(). NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.input() with ui.html() or  ui.chat_message with HTML content without escaping may allow attackers to execute arbitrary JavaScript in the user’s browser. Applications that do not pass untrusted input into ui.html() are not affected. This issue is fixed in version 3.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-53354","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08045","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.0801","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-53354"},{"reference_url":"https://github.com/zauberzeug/nicegui","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zauberzeug/nicegui"},{"reference_url":"https://github.com/zauberzeug/nicegui/commit/4673dc35c94a0c7339e2164378b0977332e60775","reference_id":"4673dc35c94a0c7339e2164378b0977332e60775","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-03T19:41:55Z/"}],"url":"https://github.com/zauberzeug/nicegui/commit/4673dc35c94a0c7339e2164378b0977332e60775"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53354","reference_id":"CVE-2025-53354","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53354"},{"reference_url":"https://github.com/advisories/GHSA-8c95-hpq2-w46f","reference_id":"GHSA-8c95-hpq2-w46f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8c95-hpq2-w46f"},{"reference_url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-8c95-hpq2-w46f","reference_id":"GHSA-8c95-hpq2-w46f","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-03T19:41:55Z/"}],"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-8c95-hpq2-w46f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34080?format=json","purl":"pkg:pypi/nicegui@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tv5-etjd-q3hr"},{"vulnerability":"VCID-4bwj-5kq4-nfas"},{"vulnerability":"VCID-6jca-vw6d-ubdp"},{"vulnerability":"VCID-77re-u8ec-8qdx"},{"vulnerability":"VCID-9r69-v46g-nbea"},{"vulnerability":"VCID-ch7g-e8bv-mkck"},{"vulnerability":"VCID-cw8a-xpmx-kfh9"},{"vulnerability":"VCID-m48n-q2g3-4fgd"},{"vulnerability":"VCID-mtpf-xq2a-9ubk"},{"vulnerability":"VCID-p7ts-gwhs-bqda"},{"vulnerability":"VCID-wgp7-za8k-bqaq"},{"vulnerability":"VCID-yjjx-r1vh-d3gn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.0.0"}],"aliases":["CVE-2025-53354","GHSA-8c95-hpq2-w46f"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-94cg-b1b8-f3ag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/109933?format=json","vulnerability_id":"VCID-byww-65h7-efcu","summary":"NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-21618","reference_id":"","reference_type":"","scores":[{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.38475","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.38648","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-21618"},{"reference_url":"https://github.com/zauberzeug/nicegui","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zauberzeug/nicegui"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21618","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21618"},{"reference_url":"https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1","reference_id":"1621a4ba6a06676b8094362d36623551e651adc1","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T16:47:23Z/"}],"url":"https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1"},{"reference_url":"https://github.com/advisories/GHSA-v6jv-p6r8-j78w","reference_id":"GHSA-v6jv-p6r8-j78w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v6jv-p6r8-j78w"},{"reference_url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w","reference_id":"GHSA-v6jv-p6r8-j78w","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T16:47:23Z/"}],"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/90147?format=json","purl":"pkg:pypi/nicegui@2.9.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tv5-etjd-q3hr"},{"vulnerability":"VCID-6jca-vw6d-ubdp"},{"vulnerability":"VCID-94cg-b1b8-f3ag"},{"vulnerability":"VCID-ch7g-e8bv-mkck"},{"vulnerability":"VCID-cw8a-xpmx-kfh9"},{"vulnerability":"VCID-mtpf-xq2a-9ubk"},{"vulnerability":"VCID-p7ts-gwhs-bqda"},{"vulnerability":"VCID-wgp7-za8k-bqaq"},{"vulnerability":"VCID-yjjx-r1vh-d3gn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@2.9.1"}],"aliases":["CVE-2025-21618","GHSA-v6jv-p6r8-j78w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-byww-65h7-efcu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66172?format=json","vulnerability_id":"VCID-ch7g-e8bv-mkck","summary":"NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25516","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07564","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07527","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25516"},{"reference_url":"https://github.com/zauberzeug/nicegui","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zauberzeug/nicegui"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25516","reference_id":"CVE-2026-25516","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25516"},{"reference_url":"https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561","reference_id":"f1f7533577875af7d23f161ed3627f73584cb561","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:19:21Z/"}],"url":"https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561"},{"reference_url":"https://github.com/advisories/GHSA-v82v-c5x8-w282","reference_id":"GHSA-v82v-c5x8-w282","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v82v-c5x8-w282"},{"reference_url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282","reference_id":"GHSA-v82v-c5x8-w282","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:19:21Z/"}],"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38782?format=json","purl":"pkg:pypi/nicegui@3.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6jca-vw6d-ubdp"},{"vulnerability":"VCID-wgp7-za8k-bqaq"},{"vulnerability":"VCID-yjjx-r1vh-d3gn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.7.0"}],"aliases":["CVE-2026-25516","GHSA-v82v-c5x8-w282"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ch7g-e8bv-mkck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65933?format=json","vulnerability_id":"VCID-cw8a-xpmx-kfh9","summary":"NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25732","reference_id":"","reference_type":"","scores":[{"value":"0.01472","scoring_system":"epss","scoring_elements":"0.81414","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01472","scoring_system":"epss","scoring_elements":"0.81353","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25732"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nicegui/PYSEC-2026-95.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nicegui/PYSEC-2026-95.yaml"},{"reference_url":"https://github.com/zauberzeug/nicegui","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zauberzeug/nicegui"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52534.py","reference_id":"CVE-2026-25732","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52534.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25732","reference_id":"CVE-2026-25732","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25732"},{"reference_url":"https://github.com/advisories/GHSA-9ffm-fxg3-xrhh","reference_id":"GHSA-9ffm-fxg3-xrhh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9ffm-fxg3-xrhh"},{"reference_url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh","reference_id":"GHSA-9ffm-fxg3-xrhh","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/"}],"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh"},{"reference_url":"https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115","reference_id":"upload_files.py#L110-L115","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/"}],"url":"https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115"},{"reference_url":"https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82","reference_id":"upload_files.py#L79-L82","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:57Z/"}],"url":"https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38782?format=json","purl":"pkg:pypi/nicegui@3.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6jca-vw6d-ubdp"},{"vulnerability":"VCID-wgp7-za8k-bqaq"},{"vulnerability":"VCID-yjjx-r1vh-d3gn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.7.0"}],"aliases":["CVE-2026-25732","GHSA-9ffm-fxg3-xrhh","PYSEC-2026-95"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cw8a-xpmx-kfh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/94600?format=json","vulnerability_id":"VCID-mtpf-xq2a-9ubk","summary":"NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to  directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66645","reference_id":"","reference_type":"","scores":[{"value":"0.00755","scoring_system":"epss","scoring_elements":"0.73768","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00755","scoring_system":"epss","scoring_elements":"0.73693","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66645"},{"reference_url":"https://github.com/zauberzeug/nicegui","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zauberzeug/nicegui"},{"reference_url":"https://github.com/zauberzeug/nicegui/commit/a1b89e2a24e1911a40389ace2153a37f4eea92a9","reference_id":"a1b89e2a24e1911a40389ace2153a37f4eea92a9","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-10T16:14:20Z/"}],"url":"https://github.com/zauberzeug/nicegui/commit/a1b89e2a24e1911a40389ace2153a37f4eea92a9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66645","reference_id":"CVE-2025-66645","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66645"},{"reference_url":"https://github.com/advisories/GHSA-hxp3-63hc-5366","reference_id":"GHSA-hxp3-63hc-5366","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hxp3-63hc-5366"},{"reference_url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-hxp3-63hc-5366","reference_id":"GHSA-hxp3-63hc-5366","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-10T16:14:20Z/"}],"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-hxp3-63hc-5366"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35916?format=json","purl":"pkg:pypi/nicegui@3.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4bwj-5kq4-nfas"},{"vulnerability":"VCID-6jca-vw6d-ubdp"},{"vulnerability":"VCID-77re-u8ec-8qdx"},{"vulnerability":"VCID-9r69-v46g-nbea"},{"vulnerability":"VCID-ch7g-e8bv-mkck"},{"vulnerability":"VCID-cw8a-xpmx-kfh9"},{"vulnerability":"VCID-m48n-q2g3-4fgd"},{"vulnerability":"VCID-wgp7-za8k-bqaq"},{"vulnerability":"VCID-yjjx-r1vh-d3gn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.4.0"}],"aliases":["CVE-2025-66645","GHSA-hxp3-63hc-5366"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mtpf-xq2a-9ubk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/94752?format=json","vulnerability_id":"VCID-p7ts-gwhs-bqda","summary":"NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactive_image component of NiceGUI. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG <foreignObject> tag whenever the image component is rendered or updated. This is particularly dangerous for dashboards or multi-user applications displaying user-generated content or annotations. This issue is fixed in version 3.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66470","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01235","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01238","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66470"},{"reference_url":"https://github.com/zauberzeug/nicegui","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zauberzeug/nicegui"},{"reference_url":"https://github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3","reference_id":"58ad0b36e19922de16bbc79ea3ddd29851b1a3e3","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:17:55Z/"}],"url":"https://github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66470","reference_id":"CVE-2025-66470","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66470"},{"reference_url":"https://github.com/advisories/GHSA-2m4f-cg75-76w2","reference_id":"GHSA-2m4f-cg75-76w2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2m4f-cg75-76w2"},{"reference_url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2","reference_id":"GHSA-2m4f-cg75-76w2","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-09T14:17:55Z/"}],"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35916?format=json","purl":"pkg:pypi/nicegui@3.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4bwj-5kq4-nfas"},{"vulnerability":"VCID-6jca-vw6d-ubdp"},{"vulnerability":"VCID-77re-u8ec-8qdx"},{"vulnerability":"VCID-9r69-v46g-nbea"},{"vulnerability":"VCID-ch7g-e8bv-mkck"},{"vulnerability":"VCID-cw8a-xpmx-kfh9"},{"vulnerability":"VCID-m48n-q2g3-4fgd"},{"vulnerability":"VCID-wgp7-za8k-bqaq"},{"vulnerability":"VCID-yjjx-r1vh-d3gn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.4.0"}],"aliases":["CVE-2025-66470","GHSA-2m4f-cg75-76w2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p7ts-gwhs-bqda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80155?format=json","vulnerability_id":"VCID-wgp7-za8k-bqaq","summary":"NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27156","reference_id":"","reference_type":"","scores":[{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.15121","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14998","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27156"},{"reference_url":"https://github.com/zauberzeug/nicegui","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zauberzeug/nicegui"},{"reference_url":"https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf","reference_id":"1861f59cc374ca0dc9d970b157ef3774720f8dbf","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T21:06:43Z/"}],"url":"https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27156","reference_id":"CVE-2026-27156","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27156"},{"reference_url":"https://github.com/advisories/GHSA-78qv-3mpx-9cqq","reference_id":"GHSA-78qv-3mpx-9cqq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-78qv-3mpx-9cqq"},{"reference_url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq","reference_id":"GHSA-78qv-3mpx-9cqq","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T21:06:43Z/"}],"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39769?format=json","purl":"pkg:pypi/nicegui@3.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6jca-vw6d-ubdp"},{"vulnerability":"VCID-yjjx-r1vh-d3gn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.8.0"}],"aliases":["CVE-2026-27156","GHSA-78qv-3mpx-9cqq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wgp7-za8k-bqaq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/73172?format=json","vulnerability_id":"VCID-yjjx-r1vh-d3gn","summary":"NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39844","reference_id":"","reference_type":"","scores":[{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20058","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20232","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39844"},{"reference_url":"https://github.com/zauberzeug/nicegui","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zauberzeug/nicegui"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39844","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39844"},{"reference_url":"https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056","reference_id":"d38a702e3af2da5b0708f689be8d71413fc77056","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/"}],"url":"https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056"},{"reference_url":"https://github.com/advisories/GHSA-w8wv-vfpc-hw2w","reference_id":"GHSA-w8wv-vfpc-hw2w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w8wv-vfpc-hw2w"},{"reference_url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w","reference_id":"GHSA-w8wv-vfpc-hw2w","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/"}],"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w"},{"reference_url":"https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0","reference_id":"v3.10.0","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:55:44Z/"}],"url":"https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373553?format=json","purl":"pkg:pypi/nicegui@3.10.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@3.10.0"}],"aliases":["CVE-2026-39844","GHSA-w8wv-vfpc-hw2w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yjjx-r1vh-d3gn"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nicegui@1.4.22"}