CVE-2026-33332
Received Received - Intake

Improper Input Validation in NiceGUI Media Streaming Causes DoS

Vulnerability report for CVE-2026-33332, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-07-06
AI Q&A
2026-03-24
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zauberzeug nicegui to 3.9.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in NiceGUI, a Python-based UI framework, in versions prior to 3.9.0. The issue is with the app.add_media_file() and app.add_media_files() media routes, which accept a user-controlled query parameter that affects how files are read during streaming.

Because this parameter is passed to the range-response implementation without validation, an attacker can bypass chunked streaming and force the server to load entire files into memory at once.

This can cause excessive memory consumption, degraded performance, or denial of service, especially when large media files and concurrent requests are involved.

The vulnerability was fixed in version 3.9.0 of NiceGUI.

Impact Analysis

This vulnerability can impact you by causing excessive memory consumption on the server when large media files are requested concurrently.

This excessive memory use can degrade the performance of your application or even cause a denial of service, making the application unavailable to legitimate users.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability has been patched in NiceGUI version 3.9.0. The immediate step to mitigate this vulnerability is to upgrade NiceGUI to version 3.9.0 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33332. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart