Description
NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.
Published: 2026-02-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file write via path traversal
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in NiceGUI's FileUpload.name property, which exposes the client‑supplied filename without sanitization. When a developer assembles a file path by concatenating UPLOAD_DIR with file.name, attackers can supply filenames containing ../ sequences. This causes the application to write files outside the intended upload directory, leading to arbitrary file overwrite. If an attacker overwrites a critical executable or configuration file, it may result in remote code execution. The flaw is a classic path traversal vulnerability, classified as CWE-22.

Affected Systems

The issue affects all deployments of the open‑source NiceGUI framework prior to version 3.7.0. Any application that uses the standard upload component and directly inserts file.name into a filesystem path is susceptible. Systems that rely on fixed paths, automatically generated filenames, or have already applied sanitization are not impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. EPSS states an exploitation probability of less than 1%, and the vulnerability is not listed in CISA's KEV catalog. Exploitation requires the attacker to access the file upload endpoint of a NiceGUI application that uses user‑supplied filenames as path components. Successful exploitation would allow an attacker to overwrite arbitrary files, potentially enabling remote code execution or other destructive actions. The attack vector is inferred to be remote, relying on the web interface's file upload functionality, but it is only feasible in projects that adopt the documented pattern without additional safeguards.

Generated by OpenCVE AI on April 17, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NiceGUI to version 3.7.0 or later, where the FileUpload.name handling is sanitized.
  • Revise any upload handling code to avoid using file.name as part of the filesystem path; instead use a fixed path or generate a unique filename independently of user input.
  • Validate or sanitize filenames on the server side to strip directory separators or reject paths containing '..', thereby preventing path traversal.

Generated by OpenCVE AI on April 17, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9ffm-fxg3-xrhh NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write
History

Fri, 20 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Zauberzeug
Zauberzeug nicegui
Vendors & Products Zauberzeug
Zauberzeug nicegui

Fri, 06 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.
Title NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Zauberzeug Nicegui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:27:21.089Z

Reserved: 2026-02-05T16:48:00.427Z

Link: CVE-2026-25732

cve-icon Vulnrichment

Updated: 2026-02-09T15:21:58.403Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T22:16:11.993

Modified: 2026-02-20T15:44:09.747

Link: CVE-2026-25732

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses