CVE-2026-25732

NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write

Assigner: GitHub_M
Reserved: 05.02.2026 Published: 06.02.2026 Updated: 06.02.2026

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	zauberzeug
Product	nicegui
Versions	Version < 3.7.0 is affected

Vendor

zauberzeug

Product

nicegui

Versions

Version < 3.7.0 is affected

References

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE

CVE-2026-25732 PUBLISHED

NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write

Metrics

Product Status

References

Problem Types