Lucene search
K

235 matches found

vulnersOsv
vulnersOsv
added 2026/05/18 8:21 p.m.6 views

ai-plays-jackbox (>=0.0.1 <=0.3.2), air-link (>=0.0.0 <=0.5.0) +74 more potentially affected by CVE-2026-45553 via nicegui (>=0.9.11 <=3.10.0)

nicegui PYPI version =0.9.11, =0.0.1, =0.0.0, =0.1.0, =1.1.3, =1.9.5, =0.3.0, =0.0.1, =0.6.7, =1.0.0, =1.2.0, =1.23.0 and more Source cves: CVE-2026-45553 Source advisory: OSV:GHSA-JFRM-RX66-G536...

7.5CVSS5.4AI score0.00255EPSS
Exploits0
OSV
OSV
added 2026/05/18 8:21 p.m.12 views

GHSA-JFRM-RX66-G536 NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()

Summary ui.restructuredtext renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructuredtext, an attacker can use standard Docutils directives include, csv-table with :file:, raw wi...

7.5CVSS5.9AI score0.00255EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/18 8:21 p.m.16 views

NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()

Summary ui.restructuredtext renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructuredtext, an attacker can use standard Docutils directives include, csv-table with :file:, raw wi...

7.5CVSS5.9AI score0.00255EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.14 views

PT-2026-41779

Name of the Vulnerable Software and Affected Versions NiceGUI versions prior to 3.12.0 Description Two FastAPI routes used for serving per-component static assets accept a sub-path parameter that can resolve to a directory instead of a file. When a request resolves to a directory, it triggers an...

5.3CVSS6.2AI score0.00343EPSS
Exploits0References5
Snyk
Snyk
added 2026/05/17 9:0 p.m.12 views

Malicious Package

Overview nicegui is a malicious package. This package contains malicious code designed to steal sensitive credentials and establish remote access. While these packages might attempt to impersonate legitimate organizations and popular open-source libraries, there is no connection between those...

9.8CVSS5.9AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.14 views

PT-2026-41235

Name of the Vulnerable Software and Affected Versions NiceGUI affected versions not specified Description The ui.restructured text function renders reStructuredText server-side using Docutils without disabling file insertion directives. When attacker-controlled content is passed to this function,...

7.5CVSS5.8AI score0.00255EPSS
Exploits0References6
Packet Storm
Packet Storm
added 2026/05/05 12:0 a.m.76 views

📄 NiceGUI 3.6.1 Path Traversal

NiceGUI version 3.6.1 suffers from a path traversal vulnerability. Exploit Title: NiceGUI 3.6.1 - Path Traversal Author: Mohammed Idrees Banyamer Instagram: @banyamersecurity GitHub: https://github.com/mbanyamer Date: 2025-06-06 Tested on: NiceGUI = 3.6.1 Python 3.8–3.12 on Linux/Windows CVE:...

7.5CVSS5.8AI score0.03212EPSS
Exploits3
Exploit DB
Exploit DB
added 2026/04/30 12:0 a.m.68 views

NiceGUI 3.6.1 - Path Traversal

Exploit Title: NiceGUI 3.6.1 - Path Traversal Author: Mohammed Idrees Banyamer Instagram: @banyamersecurity GitHub: https://github.com/mbanyamer Date: 2025-06-06 Tested on: NiceGUI = 3.6.1 Python 3.8–3.12 on Linux/Windows CVE: CVE-2026-25732 Affected Versions: = 3.6.1 fixed in 3.7.0 Type: Remote...

7.5CVSS5.2AI score0.03212EPSS
Exploits3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/04/29 12:0 p.m.7 views

Malicious code in nicegui (npm)

Malicious npm package published by threat actor "ryanmccollum1" typosquatting the popular Python NiceGUI framework. Part of the same supply chain attack campaign as redeem-onchain-sdk, which collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and git...

5.3AI score
Exploits0References1
OSV
OSV
added 2026/04/29 12:0 p.m.7 views

MAL-2026-3180 Malicious code in nicegui (npm)

Malicious npm package published by threat actor "ryanmccollum1" typosquatting the popular Python NiceGUI framework. Part of the same supply chain attack campaign as redeem-onchain-sdk, which collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and git...

5.4AI score
Exploits0References1
NVD
NVD
added 2026/04/08 9:16 p.m.6 views

CVE-2026-39844

NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload filename. Applications that construct file paths using file.name a pattern...

7.5CVSS0.00371EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/08 8:13 p.m.2 views

CVE-2026-39844 NiceGUI has a Path Traversal in NiceGUI Upload Filename on Windows via Backslash Bypass of PurePosixPath Sanitization

NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload filename. Applications that construct file paths using file.name a pattern...

5.9CVSS6AI score0.00371EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/08 8:13 p.m.17 views

CVE-2026-39844 NiceGUI has a Path Traversal in NiceGUI Upload Filename on Windows via Backslash Bypass of PurePosixPath Sanitization

NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload filename. Applications that construct file paths using file.name a pattern...

5.9CVSS0.00371EPSS
Exploits0References3
CVE
CVE
added 2026/04/08 8:13 p.m.31 views

CVE-2026-39844

CVE-2026-39844 affects NiceGUI prior to 3.10.0, where upload file names are sanitized using PurePosixPath(filename).name. On Windows, backslashes are not treated as path separators by PurePosixPath, allowing attackers to bypass sanitization with backslash-filled filenames. If applications constru...

7.5CVSS6AI score0.00371EPSS
Exploits0References3Affected Software1
vulnersOsv
vulnersOsv
added 2026/04/08 3:4 p.m.4 views

ai-plays-jackbox (>=0.0.1 <=0.3.2), air-link (>=0.0.0 <=0.5.0) +71 more potentially affected by CVE-2026-39844 via nicegui (>=0.9.11 <=3.0.4)

nicegui PYPI version =0.9.11, =0.0.1, =0.0.0, =0.1.0, =1.1.3, =0.3.0, =0.0.1, =0.6.7, =1.0.0, =1.2.0, =0.10.0, =0.11.1 and more Source cves: CVE-2026-39844 Source advisory: OSV:GHSA-W8WV-VFPC-HW2W...

7.5CVSS5.4AI score0.00371EPSS
Exploits0
OSV
OSV
added 2026/04/08 3:4 p.m.4 views

GHSA-W8WV-VFPC-HW2W NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows

Summary The upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses PurePosixPathfilename.name to strip path components. Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload...

5.9CVSS6.2AI score0.00371EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/08 3:4 p.m.6 views

EUVD-2026-20610

NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows...

5.9CVSS5.9AI score0.00371EPSS
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/04/08 3:4 p.m.4 views

ex4nicegui (=0.9.0) potentially affected by CVE-2026-39844 via nicegui (=3.0.4)

nicegui PYPI version =3.0.4 is affected by a known vulnerability. The following packages have a transitive dependency on nicegui and may be impacted: - ex4nicegui =0.9.0 Source cves: CVE-2026-39844 Source advisory: SNYK:PYTHON-NICEGUI-15954191...

7.5CVSS5.8AI score0.00371EPSS
Exploits0
Snyk
Snyk
added 2026/04/08 3:4 p.m.4 views

Directory Traversal

Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Directory Traversal via improper sanitization of uploaded filenames in the uploadfiles.py. An attacker can overwrite arbitrary files outside the intended upload...

8.3CVSS6.5AI score0.00371EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/08 3:4 p.m.5 views

NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows

Summary The upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses PurePosixPathfilename.name to strip path components. Since PurePosixPath only recognizes forward slashes / as path separators, an attacker can bypass this sanitization on Windows by using backslashes \ in the upload...

7.5CVSS6.3AI score0.00371EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder