CVE-2026-25732

Name of the Vulnerable Software and Affected Versions NiceGUI versions prior to 3.7.0

Description NiceGUI’s FileUpload.name property does not sanitize client-supplied filename metadata, which can lead to path traversal when developers use the pattern UPLOAD DIR / file.name. Attackers can exploit this by crafting malicious filenames containing '../' sequences to write files outside the intended directories. This could result in remote code execution through application file overwrites, particularly in deployments where the application follows common community patterns. Exploitation requires application code to incorporate file.name into filesystem paths without sanitization. The save() method in nicegui/elements/upload files.py does not validate the provided path parameter, accepting relative paths with '../' sequences and absolute paths. The affected methods are SmallFileUpload.save() and LargeFileUpload.save(). The vulnerability allows attackers to write files to any location writable by the application process, overwrite Python application files for remote code execution, alter application behavior by overwriting configuration files, and potentially achieve persistent access.

Recommendations Versions prior to 3.7.0 should be updated to version 3.7.0 or later. As a mitigation, strip directory components from the filename before saving the file, for example: safe name = Path(e.file.name).name. For maintainers, implement path validation to ensure that the target path does not escape the base directory.