PYSEC-2026-1704

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/nicegui/PYSEC-2026-1704.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1704
Aliases
Published
2026-07-07T11:45:38.394499Z
Modified
2026-07-07T17:46:55.809248184Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L CVSS Calculator
Summary
NiceGUI allows potential access to local file system
Details

NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the /_nicegui/{__version__}/resources/{key}/{path:path} route.

As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website.

This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

PyPI / nicegui

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.4.6
Fixed
1.4.21

Affected versions

1.*
1.4.6
1.4.7
1.4.8
1.4.9
1.4.10
1.4.11
1.4.12
1.4.13
1.4.14
1.4.15
1.4.16
1.4.17
1.4.18
1.4.19
1.4.20

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/nicegui/PYSEC-2026-1704.yaml"