Zauberzeug Nicegui vulnerabilities
17 known vulnerabilities affecting zauberzeug/nicegui.
Total CVEs
17
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH7MEDIUM10
Vulnerabilities
Page 1 of 1
CVE-2026-25732P2HIGHCVSS 7.5PoCfixed in 3.7.02026-02-06
CVE-2026-25732 [HIGH] CWE-22 CVE-2026-25732: NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes c
NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potentia
ghsanvdosv
CVE-2024-32005P3HIGHCVSS 8.2v>= 1.4.6, < 1.4.212024-04-12
CVE-2024-32005 [HIGH] CWE-22 CVE-2024-32005: NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceU
NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key}/{path:path}` route. As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the Nice
ghsanvdosv
CVE-2025-66645P3HIGHCVSS 7.5fixed in 3.4.02025-12-09
CVE-2025-66645 [HIGH] CWE-22 CVE-2025-66645: NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traver
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0.
ghsanvdosv
CVE-2026-39844P3HIGHCVSS 7.5fixed in 3.10.02026-04-08
CVE-2026-39844 [HIGH] CWE-22 CVE-2026-39844: NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulner
ghsanvdosv
CVE-2026-45553P3HIGHCVSS 7.5fixed in 3.12.02026-06-02
CVE-2026-45553 [HIGH] CWE-200 CVE-2026-45553: NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.restructured_text() renders reSt
NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.restructured_text() renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructured_text(), an attacker can use standard Docutils directives (include, csv-table with :file:
ghsanvd
CVE-2026-33332P3HIGHCVSS 7.5fixed in 3.9.02026-03-24
CVE-2026-33332 [HIGH] CWE-20 CVE-2026-33332: NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and a
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked stream
ghsanvdosv
CVE-2025-21618P3HIGHCVSS 7.5fixed in 2.9.12025-01-06
CVE-2025-21618 [HIGH] CWE-287 CVE-2025-21618: NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI lo
NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.
ghsanvdosv
CVE-2026-45554P4MEDIUMCVSS 5.3fixed in 3.12.02026-06-02
CVE-2026-45554 [MEDIUM] CWE-248 CVE-2026-45554: NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-c
NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server
ghsanvd
CVE-2026-21874P4MEDIUMCVSS 5.3≥ 2.10.0, < 3.5.0v>= 2.10.0, < 3.5.02026-01-08
CVE-2026-21874 [MEDIUM] CWE-772 CVE-2026-21874: NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker
NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues a
ghsanvdosv
CVE-2026-21871P4MEDIUMCVSS 6.1≥ 2.13.0, < 3.5.0v>= 2.13.0, < 3.5.02026-01-08
CVE-2026-21871 [MEDIUM] CWE-79 CVE-2026-21871: NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGU
NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is
ghsanvdosv
CVE-2026-27156P4MEDIUMCVSS 6.1fixed in 3.8.02026-02-24
CVE-2026-27156 [MEDIUM] CWE-79 CVE-2026-27156: NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute me
NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name,
ghsanvdosv
CVE-2026-21873P4MEDIUMCVSS 6.1≥ 2.22.0, < 3.5.0v>= 2.22.0, < 3.5.02026-01-08
CVE-2026-21873 [MEDIUM] CWE-79 CVE-2026-21873: NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in t
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.
ghsanvdosv
CVE-2025-66469P4MEDIUMCVSS 6.1fixed in 3.4.02025-12-09
CVE-2025-66469 [MEDIUM] CWE-79 CVE-2025-66469: NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS thr
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended or tags by injecting closing tags (e.g., or ), allowing
ghsanvdosv
CVE-2026-25516P4MEDIUMCVSS 6.1fixed in 3.7.02026-02-06
CVE-2026-25516 [MEDIUM] CWE-79 CVE-2026-25516: NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to co
NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malic
ghsanvdosv
CVE-2026-21872P4MEDIUMCVSS 6.1≥ 2.22.0, < 3.5.0v>= 2.22.0, < 3.5.02026-01-08
CVE-2026-21872 [MEDIUM] CWE-79 CVE-2026-21872: NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in t
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.
ghsanvdosv
CVE-2025-66470P4MEDIUMCVSS 6.1fixed in 3.4.02025-12-09
CVE-2025-66470 [MEDIUM] CWE-79 CVE-2025-66470: NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactive_image component of NiceGUI. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG tag whenever the image component is
ghsanvdosv
CVE-2025-53354P4MEDIUMCVSS 6.1fixed in 3.0.02025-10-03
CVE-2025-53354 [MEDIUM] CWE-79 CVE-2025-53354: NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripti
NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting (XSS) when developers render unescaped user input into the DOM using ui.html(). NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.input() with ui.html() or ui.chat_message with HTML con
ghsanvdosv