CVE-2026-25732

HIGH EPSS 86.6%
Published Feb 6, 20264mo ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Feb 6, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
86.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 1

VendorProductVersionRange
zauberzeugnicegui* <3.7.0

References 3

  • github.com https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115
    Patch
  • github.com https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82
    Patch
  • github.com https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115
    Patch
  • github.com https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82
    Patch