Description

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.

INFO

Published Date :

2026-02-06T21:09:58.389Z

Last Modified :

2026-02-09T15:27:21.089Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25732 vulnerability.

Vendors Products
Zauberzeug
  • Nicegui
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25732.

URL Resource
https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115 cve-icon cve-icon
https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82 cve-icon cve-icon
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact