Improper Input Validation in NiceGUI Media Handling by Zauberzeug
CVE-2026-33332

6.9MEDIUM

Key Information:

Vendor

Zauberzeug

Status
Nicegui
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33332?

NiceGUI, a Python-based UI framework, suffers from an improper input validation vulnerability in its media routes, specifically in the app.add_media_file() and app.add_media_files() methods. This issue arises as a user-controlled query parameter influences how files are handled during streaming, allowing attackers to bypass the chunked streaming mechanism. Consequently, this can lead to the server loading entire media files into memory, especially under heavy load with large files and multiple concurrent requests. This flaw can cause significant memory consumption and performance degradation, potentially leading to a denial of service. The issue has been addressed in version 3.9.0, which includes important fixes to enhance the media file handling process.

Affected Version(s)

nicegui < 3.9.0

References

https://github.com/zauberzeug/nicegui/security/advisories...
x_refsource_CONFIRM
https://github.com/zauberzeug/nicegui/commit/9026962b8c4f...
x_refsource_MISC
https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.