Security: zauberzeug/nicegui
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Unauthenticated log-volume denial of service in dynamic resource routesGHSA-pq7c-x8g4-rvp6 published
May 12, 2026 by falkoschindlerModerate -
Local file disclosure via Docutils file insertion in ui.restructured_text()GHSA-jfrm-rx66-g536 published
May 12, 2026 by falkoschindlerHigh -
Upload filename sanitization bypass via backslashes allows path traversal on WindowsGHSA-w8wv-vfpc-hw2w published
Apr 7, 2026 by falkoschindlerModerate -
Unvalidated chunk size parameter in media routes can cause memory exhaustionGHSA-w5g8-5849-vj76 published
Mar 19, 2026 by falkoschindlerModerate -
XSS via unsanitized method names in run_method()GHSA-78qv-3mpx-9cqq published
Feb 24, 2026 by falkoschindlerModerate -
Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File WriteGHSA-9ffm-fxg3-xrhh published
Feb 5, 2026 by falkoschindlerHigh -
Cross-Site Scripting (XSS) vulnerability in ui.markdown() allows arbitrary JavaScript execution through unsanitized HTML content.GHSA-v82v-c5x8-w282 published
Feb 5, 2026 by falkoschindlerModerate -
Redis connection leak via tab storage causes service degradationGHSA-mp55-g7pj-rvm2 published
Jan 8, 2026 by falkoschindlerModerate -
XSS in NiceGUI apps which uses `ui.sub_pages` and render arbitrary user-provided linksGHSA-m7j5-rq9j-6jj9 published
Jan 8, 2026 by falkoschindlerModerate -
Zero-click XSS in all NiceGUI apps which uses `ui.sub_pages`GHSA-mhpg-c27v-6mxr published
Jan 8, 2026 by falkoschindlerHigh