CVE-2026-33332

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b	Patch
https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0	Product Release Notes
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-24 20:16

Updated : 2026-03-26 12:58

NVD link : CVE-2026-33332

Mitre link : CVE-2026-33332

CVE.ORG link : CVE-2026-33332

JSON object : View

Products Affected

zauberzeug

nicegui

CWE

CWE-20

Improper Input Validation

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2026-33332", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-24T20:16:28.743", "references": [{"url": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0."}, {"lang": "es", "value": "NiceGUI es un framework de UI basado en Python. Antes de la versi\u00f3n 3.9.0, las rutas de medios app.add_media_file() y app.add_media_files() de NiceGUI aceptan un par\u00e1metro de consulta controlado por el usuario que influye en c\u00f3mo se leen los archivos durante la transmisi\u00f3n. El par\u00e1metro se pasa a la implementaci\u00f3n de respuesta de rango sin validaci\u00f3n, permitiendo a un atacante eludir la transmisi\u00f3n por bloques y forzar al servidor a cargar archivos completos en la memoria de una sola vez. Con archivos multimedia grandes y solicitudes concurrentes, esto puede llevar a un consumo excesivo de memoria, un rendimiento degradado o denegaci\u00f3n de servicio. Este problema ha sido parcheado en la versi\u00f3n 3.9.0."}], "lastModified": "2026-03-26T12:58:50.417", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07FAF148-5DBE-4936-A171-698A309AEE21", "versionEndExcluding": "3.9.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}