CVE-2026-33332

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b	Patch
https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0	Product Release Notes
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:37

Type	Values Removed	Values Added
Summary		(es) NiceGUI es un framework de UI basado en Python. Antes de la versión 3.9.0, las rutas de medios app.add_media_file() y app.add_media_files() de NiceGUI aceptan un parámetro de consulta controlado por el usuario que influye en cómo se leen los archivos durante la transmisión. El parámetro se pasa a la implementación de respuesta de rango sin validación, permitiendo a un atacante eludir la transmisión por bloques y forzar al servidor a cargar archivos completos en la memoria de una sola vez. Con archivos multimedia grandes y solicitudes concurrentes, esto puede llevar a un consumo excesivo de memoria, un rendimiento degradado o denegación de servicio. Este problema ha sido parcheado en la versión 3.9.0.

26 Mar 2026, 12:58

Type	Values Removed	Values Added
References	~~() https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b -~~	() https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b - Patch
References	~~() https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0 -~~	() https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0 - Product, Release Notes
References	~~() https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76 -~~	() https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76 - Mitigation, Vendor Advisory
CPE		cpe:2.3:a:zauberzeug:nicegui::::::::
First Time		Zauberzeug Zauberzeug nicegui
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

24 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 20:16

Updated : 2026-06-17 10:37

NVD link : CVE-2026-33332

Mitre link : CVE-2026-33332

CVE.ORG link : CVE-2026-33332

JSON object : View

Products Affected

zauberzeug

nicegui

CWE

CWE-20

Improper Input Validation

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10