CVE-2026-25732
Published: 06 February 2026
Summary
CVE-2026-25732 is a high-severity Path Traversal (CWE-22) vulnerability in Zauberzeug Nicegui. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
NiceGUI, a Python-based UI framework, contains a path traversal vulnerability in its FileUpload component prior to version 3.7.0. The FileUpload.name property returns unsanitized client-supplied filename metadata, which becomes exploitable when application code constructs filesystem paths using the common pattern of UPLOAD_DIR combined with file.name. This issue is tracked as CWE-22 and carries a CVSS 3.1 score of 7.5.
An unauthenticated remote attacker can supply a malicious filename containing ../ sequences during file upload. If the receiving application incorporates the unsanitized name directly into a path, the attacker can write files outside the intended upload directory, potentially overwriting application files and achieving remote code execution depending on the deployment.
The official advisory and patch in NiceGUI 3.7.0 address the issue by correcting handling in upload_files.py. Applications that use fixed paths, generated filenames, or explicit sanitization are unaffected; exploitation requires the vulnerable pattern of directly using file.name in filesystem operations.
EPSS remains low and unchanged at 0.0147 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5568
Vulnerability details
NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside…
more
intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing NiceGUI web framework directly enables T1190 exploitation via crafted uploads; arbitrary file write facilitates T1505.003 web shell placement for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation and sanitization of client-supplied filenames at input points to block path traversal sequences like ../ in NiceGUI FileUpload.name usage.
Requires timely identification, reporting, and remediation of the path traversal flaw in NiceGUI versions prior to 3.7.0 through patching and testing.
Employs least privilege to restrict the application process's write access to only intended upload directories, limiting damage from successful path traversal file writes.