{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39844", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T19:13:20.377Z", "datePublished": "2026-04-08T20:13:31.935Z", "dateUpdated": "2026-04-09T16:17:11.748Z"}, "containers": {"cna": {"title": "NiceGUI has a Path Traversal in NiceGUI Upload Filename on Windows via Backslash Bypass of PurePosixPath Sanitization", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w"}, {"name": "https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056", "tags": ["x_refsource_MISC"], "url": "https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056"}, {"name": "https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0"}], "affected": [{"vendor": "zauberzeug", "product": "nicegui", "versions": [{"version": "< 3.10.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:13:31.935Z"}, "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0."}], "source": {"advisory": "GHSA-w8wv-vfpc-hw2w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:55:44.846577Z", "id": "CVE-2026-39844", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:17:11.748Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39844", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:55:44.846577Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:55:51.231Z"}}], "cna": {"title": "NiceGUI has a Path Traversal in NiceGUI Upload Filename on Windows via Backslash Bypass of PurePosixPath Sanitization", "source": {"advisory": "GHSA-w8wv-vfpc-hw2w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "zauberzeug", "product": "nicegui", "versions": [{"status": "affected", "version": "< 3.10.0"}]}], "references": [{"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w", "name": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056", "name": "https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0", "name": "https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:13:31.935Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39844", "state": "PUBLISHED", "dateUpdated": "2026-04-09T16:17:11.748Z", "dateReserved": "2026-04-07T19:13:20.377Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T20:13:31.935Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1266F97-4CD4-4117-8666-9D5179E4B030", "versionEndExcluding": "3.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0."}], "id": "CVE-2026-39844", "lastModified": "2026-04-15T19:08:44.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T21:16:59.883", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.10.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nicegui", "source": "cna", "vendor": "zauberzeug"}, "product": "nicegui", "vendor": "zauberzeug"}], "analysis": {"en": {"generated_at": "2026-04-08T21:51:43.790242+00:00", "value": {"mitigation_remediation": ["Upgrade NiceGUI to version 3.10.0 or later"], "summary": {"action": "Patch Now", "impact": "Unrestricted File Write on Windows"}, "threat_synthesis": {"affected_systems": "Applications built with NiceGUI version 3.9 and earlier are vulnerable when running on Windows, because backslashes are treated as path separators. The issue does not affect non\u2011Windows platforms or later releases using built\u2011in path handling that sanitizes filenames properly.", "description_and_impact": "NiceGUI, a Python\u2011based UI framework, contains a path\u2011traversal flaw in its handling of upload filenames. The sanitization routine PurePosixPath removes only forward slashes, so an attacker can embed backslashes in the filename to escape the intended upload directory. This allows a malicious actor to write arbitrary files to the server file system, compromising device integrity and potentially enabling further attacks. The flaw falls under the CWE-22 (Path Traversal) classification and scores a CVSS 5.9, indicating moderate severity.", "risk_and_exploitability": "The vulnerability is not listed in the CISA KEV catalog and lacks an EPSS score, but its CVSS rating signifies a moderate risk. An attacker can exploit the flaw by submitting a crafted file name during the upload process. Successful exploitation would yield the ability to create or overwrite files on the server, threatening confidentiality, integrity, and potentially availability of the application. No active exploits are currently reported, though the directory traversal nature makes it a high priority for remediation."}}}}, "created": "2026-04-09T08:18:03.052057+00:00", "updated": "2026-04-09T08:27:25.920369+00:00", "vendors": ["zauberzeug", "zauberzeug$PRODUCT$nicegui"]}