CVE-2026-39844

Name of the Vulnerable Software and Affected Versions NiceGUI versions prior to 3.10.0

Description NiceGUI, a Python-based UI framework, is susceptible to arbitrary file write on Windows due to insufficient sanitization of uploaded filenames. The PurePosixPath function used for sanitization only recognizes forward slashes (/) as path separators. This allows an attacker to bypass sanitization by using backslashes () in the filename. Applications constructing file paths using file.name are particularly vulnerable. This can lead to arbitrary file write, potential remote code execution through overwriting application files, and data integrity loss.

Recommendations Upgrade to NiceGUI version 3.10.0 or later to resolve this issue.