CVE-2026-39844
MEDIUMNiceGUI <3.10.0 Windows Upload Filename - Path Traversal
Title source: manualDescription
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w
X_Refsource_Misc x_refsource_misc
https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056
X_Refsource_Misc x_refsource_misc
https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0
Scores
CVSS v3
5.9
EPSS
0.0037
EPSS Percentile
28.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
pypi/nicegui
0 - 3.10.0PyPI
zauberzeug/nicegui
< 3.10.0 (2 CPE variants)
Published
Apr 08, 2026
Tracked Since
Apr 09, 2026