nicegui
PyPI15 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting niceguipage 1 of 1
- CVE-2024-32005HIGHCVSS 8.2EG 8.2✓ Fixed in 1.4.212024-04-12
vulnerable: 1.4.10 ... 1.4.9 (15 versions)
NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key}/{path:path}` route. As a result any f…
- CVE-2025-21618HIGHCVSS 7.5EG 7.5✓ Fixed in 2.9.12025-01-06
vulnerable: 0.1.0 ... 2.9.0 (256 versions)
NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.
- CVE-2025-53354MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.0.02025-10-03
vulnerable: 0.1.0 ... 3.0.0rc1 (286 versions)
NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting (XSS) when developers render unescaped user input into the DOM using ui.html(). NiceGUI did not enforce HTML or JavaScript sanitization,…
- CVE-2025-66469MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.4.02025-12-09
vulnerable: 0.1.0 ... 3.3.1 (295 versions)
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context …
- CVE-2025-66470MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.4.02025-12-09
vulnerable: 0.1.0 ... 3.3.1 (295 versions)
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactive_image component of NiceGUI. The component renders SVG content using Vue's v-html directive without any sanitizat…
- CVE-2025-66645HIGHCVSS 7.5EG 7.5✓ Fixed in 3.4.02025-12-09
vulnerable: 0.1.0 ... 3.3.1 (295 versions)
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue…
- CVE-2026-21871MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.5.02026-01-08
vulnerable: 2.13.0 ... 3.4.1 (34 versions)
NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are docu…
- CVE-2026-21872MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.5.02026-01-08
vulnerable: 2.22.0 ... 3.4.1 (22 versions)
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user active…
- CVE-2026-21873HIGHCVSS 7.2EG 7.2✓ Fixed in 3.5.02026-01-08
vulnerable: 2.22.0 ... 3.4.1 (22 versions)
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do des…
- CVE-2026-21874MEDIUMCVSS 5.3EG 5.3✓ Fixed in 3.5.02026-01-08
vulnerable: 2.10.0 ... 3.4.1 (40 versions)
NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connect…
- CVE-2026-25516MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.7.02026-02-06
vulnerable: 0.1.0 ... 3.6.1 (300 versions)
NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This…
- CVE-2026-25732HIGHCVSS 7.5EG 7.5✓ Fixed in 3.7.02026-02-06
vulnerable: 0.1.0 ... 3.6.1 (300 versions)
NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Mali…
- CVE-2026-39844MEDIUMCVSS 5.9EG 5.9✓ Fixed in 3.10.02026-04-08
vulnerable: 0.1.0 ... 3.9.0 (304 versions)
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Appli…
- CVE-2026-45553HIGHCVSS 7.5EG 7.5✓ Fixed in 3.12.02026-05-18
vulnerable: 0.1.0 ... 3.9.0 (307 versions)
NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.restructured_text() renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled c…
- CVE-2026-45554MEDIUMCVSS 5.3EG 5.3✓ Fixed in 3.12.02026-05-18
vulnerable: 0.1.0 ... 3.9.0 (307 versions)
NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to …
Check whether nicegui is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for nicegui CVEs against the assets you own.
Start Free Scan →