7.5
CVE-2026-39844
- EPSS 0.37%
- Veröffentlicht 08.04.2026 20:13:31
- Zuletzt bearbeitet 15.04.2026 19:08:44
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
NiceGUI has a Path Traversal in NiceGUI Upload Filename on Windows via Backslash Bypass of PurePosixPath Sanitization
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zauberzeug ≫ Nicegui Version < 3.10.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.37% | 0.287 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| security-advisories@github.com | 5.9 | 2.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w
https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056
https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0