Resource exhaustion in Zauberzeug Nicegui

CVE-2026-33332

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The paramet…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.000 (12.5th percentile) — read the EPSS interpretation.

Affected products

Zauberzeug Nicegui — versions < 3.9.0

Weakness classification (CWE)

References

https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76 (x_refsource_CONFIRM)
https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b (x_refsource_MISC)
https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0 (x_refsource_MISC)