Description

NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.

INFO

Published Date :

2026-04-08T20:13:31.935Z

Last Modified :

2026-04-08T20:13:31.935Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39844 vulnerability.

Vendors Products
Zauberzeug
  • Nicegui
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39844.

URL Resource
https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056 cve-icon cve-icon
https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0 cve-icon cve-icon
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact