Evan Chan

5 exploits Active since Dec 2025
CVE-2026-39844 WRITEUP MEDIUM WRITEUP
NiceGUI <3.10.0 Windows Upload Filename - Path Traversal
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.
CVSS 5.9
CVE-2026-33332 WRITEUP HIGH WRITEUP
NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
CVSS 7.5
CVE-2025-66469 WRITEUP MEDIUM WRITEUP
NiceGUI < 3.4.0 - Reflected Cross-Site Scripting via CSS/SCSS/SASS Injection
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0.
CVSS 6.1
CVE-2025-66645 WRITEUP HIGH WRITEUP
NiceGUI < 3.4.0 - Path Traversal via App.add_media_files()
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0.
CVSS 7.5
CVE-2026-25516 WRITEUP MEDIUM WRITEUP
NiceGUI < 3.7.0 - Stored Cross-Site Scripting via ui.markdown() Component
NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0.
CVSS 6.1