Path Traversal Vulnerability in NiceGUI 3.6.1 Enables Remote Arbitrary File Write
What Happened – A newly disclosed CVE‑2026‑25732 affects NiceGUI versions ≤ 3.6.1. The library fails to sanitise the uploaded file name, allowing an attacker to traverse directories and write arbitrary files on the host system. Exploits can be launched over the network without authentication.
Why It Matters for TPRM –
- Third‑party UI components are often bundled into SaaS, internal portals, and micro‑services; a flaw in the library compromises every downstream application.
- Unrestricted file writes can lead to credential theft, ransomware deployment, or full server takeover, expanding the attack surface of the primary vendor.
- The vulnerability is publicly exploitable and already has a proof‑of‑concept script circulating in the wild.
Who Is Affected – Companies that develop or host Python‑based web applications using NiceGUI (e.g., fintech dashboards, health‑tech portals, internal tooling, SaaS platforms).
Recommended Actions –
- Inventory all applications that embed NiceGUI ≤ 3.6.1.
- Upgrade immediately to NiceGUI 3.7.0 or later, where the issue is patched.
- If upgrade is not feasible, implement a reverse‑proxy rule that blocks file‑upload endpoints or validates file names against a whitelist.
- Conduct a file‑system audit on affected hosts for unexpected files (e.g.,
/etc/passwd, maliciousapp.py).
Technical Notes – The flaw is a CWE‑22 “Improper Limitation of a Pathname to a Restricted Directory”. It is a remote arbitrary file write / path traversal triggered via the FileUpload.name parameter in a multipart POST request. No privileges are required; the attack vector is network‑based. Source: https://www.exploit-db.com/exploits/52534