CVE-2026-39844
Path Traversal in NiceGUI Allows Arbitrary File Write on Windows
Publication date: 2026-04-08
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zauberzeug | nicegui | to 3.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in NiceGUI, a Python-based UI framework, in versions prior to 3.10.0. The issue arises because PurePosixPath only recognizes forward slashes (/) as path separators, but on Windows systems, backslashes (\) are used. An attacker can exploit this by using backslashes in an upload filename to bypass sanitization checks. If an application constructs file paths using the uploaded file's name (file.name), this can lead to arbitrary file write on Windows systems.
How can this vulnerability impact me? :
The vulnerability allows an attacker to write arbitrary files on a Windows system where the vulnerable NiceGUI version is used. This can lead to unauthorized modification or creation of files, potentially compromising the integrity of the system or application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade NiceGUI to version 3.10.0 or later, where the issue with path sanitization on Windows has been fixed.