CVE-2026-25732
Published: 06 February 2026
Summary
CVE-2026-25732 is a high-severity Path Traversal (CWE-22) vulnerability in Zauberzeug Nicegui. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation and sanitization of client-supplied filenames at input points to block path traversal sequences like ../ in NiceGUI FileUpload.name usage.
Requires timely identification, reporting, and remediation of the path traversal flaw in NiceGUI versions prior to 3.7.0 through patching and testing.
Employs least privilege to restrict the application process's write access to only intended upload directories, limiting damage from successful path traversal file writes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing NiceGUI web framework directly enables T1190 exploitation via crafted uploads; arbitrary file write facilitates T1505.003 web shell placement for RCE.
NVD Description
NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside…
more
intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.
Deeper analysisAI
CVE-2026-25732 is a path traversal vulnerability (CWE-22) in NiceGUI, a Python-based UI framework, affecting versions prior to 3.7.0. The issue stems from the FileUpload.name property, which exposes unsanitized client-supplied filename metadata. When developers construct filesystem paths using the common pattern UPLOAD_DIR / file.name, this allows malicious filenames containing ../ sequences to traverse directories and write files outside the intended upload location.
Unauthenticated attackers (AV:N/AC:L/PR:N) can exploit this vulnerability by uploading files with crafted names if the target application incorporates file.name directly into filesystem paths without additional sanitization. Successful exploitation enables arbitrary file writes outside designated directories, potentially leading to remote code execution by overwriting application files in vulnerable deployment configurations. Applications that use fixed paths, generate unique filenames, or implement explicit sanitization are not affected.
The vulnerability is fixed in NiceGUI version 3.7.0. The official security advisory (GHSA-9ffm-fxg3-xrhh) and relevant code changes in nicegui/elements/upload_files.py detail the patch and recommend developers upgrade immediately while reviewing file handling patterns to avoid direct use of client-supplied filenames in paths.
Details
- CWE(s)