219 matches found
NiceGUI 安全漏洞
NiceGUI is an easy-to-use, Python-based UI framework developed under the NiceGUI open source project. Versions of NiceGUI prior to 3.9.0 contained security vulnerabilities. These vulnerabilities stemmed from the media routing functions in app.addmediafile and app.addmediafiles, which allowed...
NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion
Summary NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and...
acherion (>=0.2.0 <=0.5.3), aesp (=2025.9.12) +187 more potentially affected by CVE-2026-33332 via nicegui (>=3.0.4 <=3.8.0)
nicegui PYPI version =3.0.4, =0.2.0, =1.0.0, =0.4.0, =0.1.0, =0.2.200, =0.3.0, =0.0.0, =0.4.14, =1.0.0, =0.1.0, =0.4.4, =0.4.9 - boaboard =0.1.0 and more Source cves: CVE-2026-33332 Source advisory: SNYK:PYTHON-NICEGUI-15701842...
GHSA-W5G8-5849-VJ76 NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion
Summary NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and...
Improper Validation of Specified Quantity in Input
Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the chunksize parameter in app.addmediafile and app.addmediafiles media routes. An attacker can cause excessi...
PT-2026-26484
Name of the Vulnerable Software and Affected Versions NiceGUI versions prior to 3.9.0 Description NiceGUI’s app.add media file and app.add media files functions are susceptible to a flaw where a user-controlled query parameter, passed to the range-response implementation without validation, can...
CVE-2026-27156
NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements Element.runmethod, AgGrid.rungridmethod, EChart.runchartmethod, and others use an eval fallback in the JavaScript-side runMethod function. When user-controlled input i...
acherion (>=0.2.0 <=0.5.3), aesp (=2025.9.12) +187 more potentially affected by CVE-2026-27156 via nicegui (>=3.0.4 <=3.7.1)
nicegui PYPI version =3.0.4, =0.2.0, =1.0.0, =0.4.0, =0.1.0, =0.2.200, =0.3.0, =0.0.0, =0.4.14, =1.0.0, =0.4.4, =0.4.9 - boaboard =0.1.0 and more Source cves: CVE-2026-27156 Source advisory: SNYK:PYTHON-NICEGUI-15346850...
GHSA-78QV-3MPX-9CQQ NiceGUI vulnerable to XSS via Code Injection during client-side element function execution
Summary Several NiceGUI APIs that execute methods on client-side elements Element.runmethod, AgGrid.rungridmethod, EChart.runchartmethod, and others use an eval fallback in the JavaScript-side runMethod function. When user-controlled input is passed as the method name, an attacker can inject...
NiceGUI vulnerable to XSS via Code Injection during client-side element function execution
Summary Several NiceGUI APIs that execute methods on client-side elements Element.runmethod, AgGrid.rungridmethod, EChart.runchartmethod, and others use an eval fallback in the JavaScript-side runMethod function. When user-controlled input is passed as the method name, an attacker can inject...
CVE-2026-27156
NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements Element.runmethod, AgGrid.rungridmethod, EChart.runchartmethod, and others use an eval fallback in the JavaScript-side runMethod function. When user-controlled input i...
CVE-2026-27156 NiceGUI has XSS via Code Injection
NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements Element.runmethod, AgGrid.rungridmethod, EChart.runchartmethod, and others use an eval fallback in the JavaScript-side runMethod function. When user-controlled input i...
CVE-2026-27156 NiceGUI has XSS via Code Injection
NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements Element.runmethod, AgGrid.rungridmethod, EChart.runchartmethod, and others use an eval fallback in the JavaScript-side runMethod function. When user-controlled input i...
CVE-2026-27156 NiceGUI has XSS via Code Injection
NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements Element.runmethod, AgGrid.rungridmethod, EChart.runchartmethod, and others use an eval fallback in the JavaScript-side runMethod function. When user-controlled input i...
CVE-2026-27156
NiceGUI (Python) before version 3.8.0 is vulnerable to XSS via code injection in client-side runMethod-related APIs (Element.run_method, AgGrid.run_grid_method, EChart.run_chart_method, etc.) due to eval fallback and unsafe string interpolation of method names. The issue allows attacker-controlle...
PT-2026-21771
Name of the Vulnerable Software and Affected Versions NiceGUI versions prior to 3.8.0 Description NiceGUI APIs, including Element.run method, AgGrid.run grid method, EChart.run chart method, and others, utilized an eval fallback within the JavaScript-side runMethod function. This allowed for...
NiceGUI 跨站脚本漏洞
NiceGUI is an easy-to-use, Python-based UI framework developed under the open source license. Versions of NiceGUI prior to 3.8.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of eval in multiple client APIs, and incorrect escaping of method names, which...
CVE-2026-25516
NiceGUI is a Python-based UI framework. The ui.markdown component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled conten...
CVE-2026-25732
NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOADDIR / file.name. Malicious filenames containing ../ sequences allow attackers to...
PYSEC-2026-95
NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOADDIR / file.name. Malicious filenames containing ../ sequences allow attackers to...