What is CVE-2026-25732?

CVE-2026-25732 is a high-severity vulnerability in Zauberzeug Nicegui, classified under Path Traversal. CVSS score: 7.5/10. Published 2026-02-06.

How severe is CVE-2026-25732?

High severity. CVSS v3 base score is 7.5 out of 10.

Path Traversal in Zauberzeug Nicegui

CVE-2026-25732

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Mali…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.014 (80.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

Affected products

Zauberzeug Nicegui — versions < 3.7.0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh (x_refsource_CONFIRM)
https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115 (x_refsource_MISC)
https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-25732?: CVE-2026-25732 is a high-severity vulnerability in Zauberzeug Nicegui, classified under Path Traversal. CVSS score: 7.5/10. Published 2026-02-06.
How severe is CVE-2026-25732?: High severity. CVSS v3 base score is 7.5 out of 10.