Path Traversal Vulnerability in NiceGUI Python UI Framework
CVE-2026-39844

5.9MEDIUM

Key Information:

Vendor

Zauberzeug

Status
Nicegui
Vendor
CVE Published:
8 April 2026

What is CVE-2026-39844?

NiceGUI, a Python-based UI framework, is vulnerable to a path traversal issue where an attacker can bypass sanitization controls on Windows by using backslashes in the upload filename. Specifically, the vulnerability arises from the use of PurePosixPath which only recognizes forward slashes as path separators. Applications built with NiceGUI, particularly those that construct file paths using file.name as shown in NiceGUI's bundled examples, may allow for arbitrary file writes on Windows systems. This issue has been resolved in version 3.10.0.

Affected Version(s)

nicegui < 3.10.0

References

https://github.com/zauberzeug/nicegui/security/advisories...
x_refsource_CONFIRM
https://github.com/zauberzeug/nicegui/commit/d38a702e3af2...
x_refsource_MISC
https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.