CVE-2026-25732 – NiceGUI’s Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write

CVE ID : CVE-2026-25732

Published : Feb. 6, 2026, 10:16 p.m. | 1 hour, 3 minutes ago

Description : NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI’s FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.

Severity: 7.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…