CVE-2026-39844: NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
(updated )
The upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses PurePosixPath(filename).name to strip path components. Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename.
Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI’s bundled examples) are vulnerable to arbitrary file write on Windows.
References
- github.com/advisories/GHSA-w8wv-vfpc-hw2w
- github.com/zauberzeug/nicegui
- github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056
- github.com/zauberzeug/nicegui/releases/tag/v3.10.0
- github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w
- nvd.nist.gov/vuln/detail/CVE-2026-39844
Code Behaviors & Features
Detect and mitigate CVE-2026-39844 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →