CVE-2026-33332
Received Received - Intake
Improper Input Validation in NiceGUI Media Streaming Causes DoS

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33332
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zauberzeug nicegui to 3.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in NiceGUI, a Python-based UI framework, in versions prior to 3.9.0. The issue is with the app.add_media_file() and app.add_media_files() media routes, which accept a user-controlled query parameter that affects how files are read during streaming.

Because this parameter is passed to the range-response implementation without validation, an attacker can bypass chunked streaming and force the server to load entire files into memory at once.

This can cause excessive memory consumption, degraded performance, or denial of service, especially when large media files and concurrent requests are involved.

The vulnerability was fixed in version 3.9.0 of NiceGUI.

Impact Analysis

This vulnerability can impact you by causing excessive memory consumption on the server when large media files are requested concurrently.

This excessive memory use can degrade the performance of your application or even cause a denial of service, making the application unavailable to legitimate users.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability has been patched in NiceGUI version 3.9.0. The immediate step to mitigate this vulnerability is to upgrade NiceGUI to version 3.9.0 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33332. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart