CVE-2026-33332

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H                                    

Vulnerability Description

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.

Vulnerability Details

Published Date

March 19, 2026

Last Modified

March 26, 2026

CWE ID

CWE-20

Source

GitHub

Vendor

pip

Product

nicegui

External References

https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76
https://github.com/advisories/GHSA-w5g8-5849-vj76

CVE-2026-33332

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment