CVE-2026-25732

HIGH

NiceGUI < 3.7.0 - Path Traversal via FileUpload.name Property

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-25732. PoCs published by banyamer, XiaomingX, mbanyamer.

AI-analyzed exploit summary This exploit demonstrates a path traversal vulnerability in NiceGUI <= 3.6.1, allowing arbitrary file write by manipulating the filename in a multipart file upload. The PoC sends a crafted POST request with a malicious filename to overwrite files on the target system.

Description

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.

Exploits (3)

exploitdb WORKING POC
by banyamer · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52534

This exploit demonstrates a path traversal vulnerability in NiceGUI <= 3.6.1, allowing arbitrary file write by manipulating the filename in a multipart file upload. The PoC sends a crafted POST request with a malicious filename to overwrite files on the target system.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: NiceGUI <= 3.6.1
No auth needed
Prerequisites: Target running NiceGUI <= 3.6.1 · Network access to the target · Valid payload file to upload
devstral-2 · analyzed May 05, 2026 Full analysis →
github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25732

The repository contains a functional exploit for CVE-2026-25732, which leverages a path traversal vulnerability in NiceGUI's FileUpload component to achieve arbitrary file write. The exploit sends a crafted multipart POST request with a malicious filename to overwrite files on the target system.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: NiceGUI <= 3.6.1
No auth needed
Prerequisites: Target running NiceGUI <= 3.6.1 · Network access to the target application
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by mbanyamer · poc
https://github.com/mbanyamer/CVE-2026-25732-NiceGUI-3.6.1

This exploit demonstrates a path traversal vulnerability in NiceGUI's FileUpload feature, allowing arbitrary file writes by manipulating the filename field. It sends a crafted multipart POST request to upload a file with a traversal sequence in its name.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: NiceGUI <= 3.6.1
No auth needed
Prerequisites: Target running NiceGUI <= 3.6.1 with an exposed upload endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.5
EPSS 0.0321
EPSS Percentile 86.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (2)
pypi/nicegui 0 - 3.7.0PyPI
zauberzeug/nicegui < 3.7.0
Published Feb 06, 2026
Tracked Since Feb 18, 2026