CVE-2026-33332

Medium CVSS: 6.9

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.

Vendor

Zauberzeug

Product

Nicegui

CWE

CWE-20

Yayın Tarihi

2026-03-24 20:16:28

Güncelleme

2026-03-26 12:58:50

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-20 Nicegui MEDIUM Zauberzeug 2026

Referanslar

https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0 https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76

Benzer Kayıtlar

Medium

CVE-2026-27156

NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side…

Medium

CVE-2026-25516

NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown conte…

High

CVE-2026-25732

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filen…

Medium

CVE-2026-21871

NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pa…

Medium

CVE-2026-21872

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event liste…

High

CVE-2026-21873

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event l…