CVE-2026-33332

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33332

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33332.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33332

Aliases

GHSA-w5g8-5849-vj76

Published

2026-03-24T19:20:53.386Z

Modified

2026-04-02T13:27:22.313358Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion

Details

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile() and app.addmediafiles() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33332.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20",
        "CWE-770"
    ]
}

References

Affected packages

Git / github.com/zauberzeug/nicegui

Affected ranges

Type

GIT

Repo

https://github.com/zauberzeug/nicegui

Events

Introduced

Fixed

9a03535786b3411b48f70a7fc5c46ba8a42dc02f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.9.0"
        }
    ]
}

Affected versions

v0.*

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.2.0

v0.2.1

v0.2.10

v0.2.11

v0.2.12

v0.2.13

v0.2.14

v0.2.15

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.2.8

v0.2.9

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.1

v0.4.10

v0.4.11

v0.4.12

v0.4.13

v0.4.14

v0.4.15

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.4.9

v0.5.0

v0.5.1

v0.5.10

v0.5.11

v0.5.12

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.6.10

v0.6.11

v0.6.12

v0.6.13

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.6.7

v0.6.8

v0.6.9

v0.7.0

v0.7.1

v0.7.10

v0.7.11

v0.7.12

v0.7.13

v0.7.14

v0.7.15

v0.7.16

v0.7.17

v0.7.18

v0.7.19

v0.7.2

v0.7.20

v0.7.21

v0.7.22

v0.7.23

v0.7.24

v0.7.25

v0.7.26

v0.7.27

v0.7.28

v0.7.29

v0.7.3

v0.7.30

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.7.9

v0.8.0

v0.8.1

v0.8.10

v0.8.11

v0.8.12

v0.8.13

v0.8.14

v0.8.15

v0.8.16

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.8.6

v0.8.7

v0.8.8

v0.8.9

v0.9.0

v0.9.1

v0.9.10

v0.9.11

v0.9.12

v0.9.13

v0.9.14

v0.9.15

v0.9.16

v0.9.17

v0.9.18

v0.9.19

v0.9.2

v0.9.20

v0.9.21

v0.9.22

v0.9.23

v0.9.24

v0.9.25

v0.9.26

v0.9.27

v0.9.28

v0.9.3

v0.9.4

v0.9.5

v0.9.6

v0.9.7

v0.9.8

v0.9.9

v1.*

v1.0.0

v1.0.1

v1.0.10

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.1.0

v1.1.1

v1.1.10

v1.1.11

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.1.8

v1.1.9

v1.2.0

v1.2.1

v1.2.10

v1.2.11

v1.2.12

v1.2.13

v1.2.14

v1.2.15

v1.2.16

v1.2.17

v1.2.18

v1.2.2

v1.2.20

v1.2.21

v1.2.22

v1.2.23

v1.2.24

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.3.0

v1.3.1

v1.3.10

v1.3.11

v1.3.12

v1.3.13

v1.3.14

v1.3.15

v1.3.16

v1.3.17

v1.3.18

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.4.0

v1.4.1

v1.4.10

v1.4.11

v1.4.12

v1.4.13

v1.4.14

v1.4.15

v1.4.16

v1.4.17

v1.4.18

v1.4.19

v1.4.2

v1.4.20

v1.4.21

v1.4.22

v1.4.23

v1.4.24

v1.4.25

v1.4.26

v1.4.27

v1.4.28

v1.4.29

v1.4.3

v1.4.30

v1.4.31

v1.4.32

v1.4.33

v1.4.34

v1.4.35

v1.4.36

v1.4.36-dev0

v1.4.37

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4.8

v1.4.9

v2.*

v2.0.0

v2.0.1

v2.1.0

v2.10.0

v2.10.1

v2.11.0

v2.11.1

v2.12.0

v2.12.1

v2.13.0

v2.14.0

v2.14.1

v2.15.0

v2.16.0

v2.16.1

v2.17.0

v2.18.0

v2.19.0

v2.2.0

v2.20.0

v2.21.0

v2.21.1

v2.22.0

v2.22.1

v2.22.2

v2.23.0

v2.23.1

v2.23.2

v2.23.3

v2.24.0

v2.24.1

v2.24.2

v2.3.0

v2.4.0

v2.5.0

v2.7.0

v2.8.0

v2.8.1

v2.9.0

v2.9.1

v3.*

v3.0.0

v3.0.0rc1

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.1.0

v3.2.0

v3.3.0

v3.3.1

v3.4.0

v3.4.1

v3.5.0

v3.6.0

v3.6.1

v3.7.0

v3.7.1

v3.8.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33332.json"