CVE-2026-39844
Published: 08 April 2026
Summary
CVE-2026-39844 is a medium-severity Path Traversal (CWE-22) vulnerability in Zauberzeug Nicegui. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the path traversal vulnerability by requiring validation and sanitization of uploaded filenames to reject or normalize path separators like backslashes on Windows.
Mandates timely flaw remediation, such as patching NiceGUI to version 3.10.0, which fixes the PurePosixPath sanitization failure on Windows.
Enforces least privilege on the application process to limit the scope of arbitrary file writes to non-critical locations even if traversal succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal in the public-facing NiceGUI web UI framework enables remote unauthenticated exploitation via crafted file upload (T1190). This directly facilitates arbitrary file writes that can be used to place web shells on the server (T1505.003).
NVD Description
NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications that construct file paths…
more
using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.
Deeper analysisAI
CVE-2026-39844 is a path traversal vulnerability (CWE-22) affecting NiceGUI, a Python-based UI framework, in versions prior to 3.10.0. The issue stems from the use of PurePosixPath for sanitizing uploaded filenames, which only recognizes forward slashes (/) as path separators and fails to handle backslashes (\) on Windows systems. Applications that construct file paths directly from the uploaded file.name attribute, as shown in NiceGUI's bundled examples, are vulnerable to arbitrary file writes outside the intended directory on Windows hosts.
A remote, unauthenticated attacker can exploit this vulnerability over the network by uploading a malicious file with backslashes in its filename, bypassing path normalization. This requires high attack complexity (AC:H per CVSS v3.1 score of 5.9), such as crafting a precise filename to traverse directories. Successful exploitation enables arbitrary file writes on the server (I:H), potentially allowing attackers to overwrite critical files, though it does not grant confidentiality or availability impact (C:N/A:N).
The vulnerability is addressed in NiceGUI version 3.10.0, where the sanitization logic was updated via commit d38a702e3af2da5b0708f689be8d71413fc77056. Security practitioners should upgrade to 3.10.0 or later and review applications for direct use of file.name in path construction, implementing additional platform-agnostic path normalization (e.g., using pathlib.Path with proper resolution) as a mitigation. Further details are available in the NiceGUI security advisory (GHSA-w8wv-vfpc-hw2w) and release notes.
Details
- CWE(s)