Cyber Resilience

CVE-2026-25732

HighPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0147 81.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25732 is a high-severity Path Traversal (CWE-22) vulnerability in Zauberzeug Nicegui. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

NiceGUI, a Python-based UI framework, contains a path traversal vulnerability in its FileUpload component prior to version 3.7.0. The FileUpload.name property returns unsanitized client-supplied filename metadata, which becomes exploitable when application code constructs filesystem paths using the common pattern of UPLOAD_DIR combined with file.name. This issue is tracked as CWE-22 and carries a CVSS 3.1 score of 7.5.

An unauthenticated remote attacker can supply a malicious filename containing ../ sequences during file upload. If the receiving application incorporates the unsanitized name directly into a path, the attacker can write files outside the intended upload directory, potentially overwriting application files and achieving remote code execution depending on the deployment.

The official advisory and patch in NiceGUI 3.7.0 address the issue by correcting handling in upload_files.py. Applications that use fixed paths, generated filenames, or explicit sanitization are unaffected; exploitation requires the vulnerable pattern of directly using file.name in filesystem operations.

EPSS remains low and unchanged at 0.0147 with no material increase after disclosure.

EU & UK References

Vulnerability details

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside…

more

intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal in public-facing NiceGUI web framework directly enables T1190 exploitation via crafted uploads; arbitrary file write facilitates T1505.003 web shell placement for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21873Same product: Zauberzeug Nicegui
CVE-2026-39844Same product: Zauberzeug Nicegui
CVE-2026-33332Same product: Zauberzeug Nicegui
CVE-2025-1661Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-9550Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2019-25471Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2025-67684Shared CWE-22

Affected Assets

zauberzeug
nicegui
≤ 3.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation and sanitization of client-supplied filenames at input points to block path traversal sequences like ../ in NiceGUI FileUpload.name usage.

prevent

Requires timely identification, reporting, and remediation of the path traversal flaw in NiceGUI versions prior to 3.7.0 through patching and testing.

prevent

Employs least privilege to restrict the application process's write access to only intended upload directories, limiting damage from successful path traversal file writes.

References