Description
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.
Published: 2026-04-08
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Write on Windows
Action: Patch Now
AI Analysis

Impact

NiceGUI, a Python‑based UI framework, contains a path‑traversal flaw in its handling of upload filenames. The sanitization routine PurePosixPath removes only forward slashes, so an attacker can embed backslashes in the filename to escape the intended upload directory. This allows a malicious actor to write arbitrary files to the server file system, compromising device integrity and potentially enabling further attacks. The flaw falls under the CWE-22 (Path Traversal) classification and scores a CVSS 5.9, indicating moderate severity.

Affected Systems

Applications built with NiceGUI version 3.9 and earlier are vulnerable when running on Windows, because backslashes are treated as path separators. The issue does not affect non‑Windows platforms or later releases using built‑in path handling that sanitizes filenames properly.

Risk and Exploitability

The vulnerability is not listed in the CISA KEV catalog and lacks an EPSS score, but its CVSS rating signifies a moderate risk. An attacker can exploit the flaw by submitting a crafted file name during the upload process. Successful exploitation would yield the ability to create or overwrite files on the server, threatening confidentiality, integrity, and potentially availability of the application. No active exploits are currently reported, though the directory traversal nature makes it a high priority for remediation.

Generated by OpenCVE AI on April 8, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NiceGUI to version 3.10.0 or later

Generated by OpenCVE AI on April 8, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w8wv-vfpc-hw2w NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Zauberzeug
Zauberzeug nicegui
Vendors & Products Zauberzeug
Zauberzeug nicegui

Wed, 08 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.
Title NiceGUI has a Path Traversal in NiceGUI Upload Filename on Windows via Backslash Bypass of PurePosixPath Sanitization
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Zauberzeug Nicegui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T20:13:31.935Z

Reserved: 2026-04-07T19:13:20.377Z

Link: CVE-2026-39844

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T21:16:59.883

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:25Z

Weaknesses