Path Traversal Vulnerability in NiceGUI Framework by Zauberzeug
CVE-2026-25732

7.5HIGH

Key Information:

Vendor

Zauberzeug

Status
Nicegui
Vendor
CVE Published:
6 February 2026

What is CVE-2026-25732?

The NiceGUI framework, which is utilized for building user interfaces in Python, has a vulnerability in its FileUpload component. Specifically, the name property of the FileUpload exposes client-supplied filename metadata without appropriate sanitization. This oversight can lead to path traversal attacks if developers use the pattern UPLOAD_DIR / file.name, allowing attackers to manipulate filenames using sequences like '../'. This flaw enables writing files outside designated directories, creating opportunities for remote code execution through file overwrites in certain deployment scenarios. Applications that incorporate filename metadata directly into file system paths without any form of validation are particularly susceptible. However, those utilizing fixed file paths or applying explicit sanitation measures remain unaffected. This vulnerability has been addressed in version 3.7.0.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

nicegui < 3.7.0

References

https://github.com/zauberzeug/nicegui/security/advisories...
x_refsource_CONFIRM
https://github.com/zauberzeug/nicegui/blob/main/nicegui/e...
x_refsource_MISC
https://github.com/zauberzeug/nicegui/blob/main/nicegui/e...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.