NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
References
| Link | Resource |
|---|---|
| https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b | Patch |
| https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0 | Product Release Notes |
| https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76 | Mitigation Vendor Advisory |
Configurations
History
26 Mar 2026, 12:58
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:* | |
| First Time |
Zauberzeug
Zauberzeug nicegui |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| References | () https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b - Patch | |
| References | () https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0 - Product, Release Notes | |
| References | () https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76 - Mitigation, Vendor Advisory |
24 Mar 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-24 20:16
Updated : 2026-03-26 12:58
NVD link : CVE-2026-33332
Mitre link : CVE-2026-33332
CVE.ORG link : CVE-2026-33332
JSON object : View
Products Affected
zauberzeug
- nicegui