pkg:PyPI/nicegui
18 total CVEsHIGH7MEDIUM11
✅ Check your installed version
All known vulnerabilities
- >= 1.4.6, < 1.4.21
- HIGH7.5CVE-2026-45553NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()from 0, < 3.12.0
- HIGH7.5CVE-2026-25732NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Writefrom 0, < 3.7.0
- HIGH7.5CVE-2026-25732NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Writefrom 0, < 3.7.0
- HIGH7.5CVE-2025-66645NiceGUI has a path traversal in app.add_media_files() allows arbitrary file readfrom 0, < 3.4.0
- from 0, < 2.9.1
- >= 2.22.0, < 3.5.0
- MEDIUM6.1CVE-2026-27156NiceGUI vulnerable to XSS via Code Injection during client-side element function executionfrom 0, < 3.8.0
- MEDIUM6.1CVE-2026-25516NiceGUI's XSS vulnerability in ui.markdown() allows arbitrary JavaScript execution through unsanitized HTML contentfrom 0, < 3.7.0
- MEDIUM6.1CVE-2026-21872NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links>= 2.22.0, < 3.5.0
- MEDIUM6.1CVE-2026-21871NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace()>= 2.13.0, < 3.5.0
- MEDIUM6.1CVE-2025-66470NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG contentfrom 0, < 3.4.0
- MEDIUM6.1CVE-2025-66469NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injectionfrom 0, < 3.4.0
- from 0, < 3.0.0
- MEDIUM5.9CVE-2026-39844NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windowsfrom 0, < 3.10.0
- MEDIUM5.3CVE-2026-45554NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routesfrom 0, < 3.12.0
- MEDIUM5.3CVE-2026-33332NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustionfrom 0, < 3.9.0
- >= 2.10.0, < 3.5.0