219 matches found
Malicious code in nicegui (npm)
Malicious npm package published by threat actor "ryanmccollum1" typosquatting the popular Python NiceGUI framework. Part of the same supply chain attack campaign as redeem-onchain-sdk, which collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and git...
MAL-2026-3180 Malicious code in nicegui (npm)
Malicious npm package published by threat actor "ryanmccollum1" typosquatting the popular Python NiceGUI framework. Part of the same supply chain attack campaign as redeem-onchain-sdk, which collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and git...
CVE-2026-39844
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload filename. Applications that construct file paths using file.name a pattern...
CVE-2026-39844
CVE-2026-39844 affects NiceGUI prior to 3.10.0, where upload file names are sanitized using PurePosixPath(filename).name. On Windows, backslashes are not treated as path separators by PurePosixPath, allowing attackers to bypass sanitization with backslash-filled filenames. If applications constru...
CVE-2026-39844 NiceGUI has a Path Traversal in NiceGUI Upload Filename on Windows via Backslash Bypass of PurePosixPath Sanitization
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload filename. Applications that construct file paths using file.name a pattern...
CVE-2026-39844 NiceGUI has a Path Traversal in NiceGUI Upload Filename on Windows via Backslash Bypass of PurePosixPath Sanitization
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload filename. Applications that construct file paths using file.name a pattern...
EUVD-2026-20610
NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows...
GHSA-W8WV-VFPC-HW2W NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
Summary The upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses PurePosixPathfilename.name to strip path components. Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload...
Directory Traversal
Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Directory Traversal via improper sanitization of uploaded filenames in the uploadfiles.py. An attacker can overwrite arbitrary files outside the intended upload...
NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
Summary The upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses PurePosixPathfilename.name to strip path components. Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload...
ex4nicegui (=0.9.0) potentially affected by CVE-2026-39844 via nicegui (=3.0.4)
nicegui PYPI version =3.0.4 is affected by a known vulnerability. The following packages have a transitive dependency on nicegui and may be impacted: - ex4nicegui =0.9.0 Source cves: CVE-2026-39844 Source advisory: SNYK:PYTHON-NICEGUI-15954191...
NiceGUI 路径遍历漏洞
NiceGUI is an easy-to-use, Python-based UI framework developed under the open source license. Versions of NiceGUI prior to 3.10.0 contained a path traversal vulnerability. This vulnerability stemmed from an inability to bypass path cleaning, which could lead to arbitrary file writing on Windows...
CVE-2026-33332
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without...
CVE-2026-33332
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without...
CVE-2026-33332 NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without...
CVE-2026-33332
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without...
CVE-2026-33332 NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without...
CVE-2026-33332 NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without...
EUVD-2026-14179
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without...
CVE-2026-33332
CVE-2026-33332 affects NiceGUI prior to v3.9.0. The media routes app.add_media_file() and app.add_media_files() accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing a...