CVE-2026-33332

MEDIUM EPSS 44.2%
Published Mar 24, 20263mo ago · Modified Jun 17, 20261w ago
6.9 CVSS 4.0
Medium
Find Similar
Published Mar 24, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.

CVSS Details

Base Score
6.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
44.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation
CWE-770

Affected Products 1

VendorProductVersionRange
zauberzeugnicegui* <3.9.0

References 3

  • github.com https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b
    Patch
  • github.com https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0
    ProductRelease Notes
  • github.com https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76
    MitigationVendor Advisory

Remediation

  • github.com https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b
    Patch