CVE-2026-33332 in zauberzeug nicegui
要約 (英語)
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
責任者
GitHub_M
予約する
2026年03月18日
公開
2026年03月24日
エントリ
| 識別子 | 脆弱性 | CWE | ベース | テンポ | 0day | 本日 | 悪用可 | KEV | EPSS | CTI | 対策 | CVE |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 352867 | zauberzeug nicegui Query Parameter app.add_media_files サービス拒否 | 404 | 6.4 | 6.3 | $0-$5k | $0-$5k | 未定義 | 0.00027 | 0.00 | 公式な修正 | CVE-2026-33332 |