CVE-2026-33332
MEDIUM EPSS 44.2%
Published Mar 24, 20263mo ago · Modified Jun 17, 20261w ago
6.9 CVSS 4.0
Published Mar 24, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago
Description
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
44.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 2
CWE-20 Improper Input Validation Validation
CWE-770
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| zauberzeug | nicegui | * | <3.9.0 |
References 3
- github.com https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b
- github.com https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0
- github.com https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76
Remediation
- github.com https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b