{"data":{"id":"a566b09d-6c2e-4f9c-8ccb-ab9474cd05a8","title":"GHSA-w8wv-vfpc-hw2w: NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows","summary":"NiceGUI has a security flaw where file upload names aren't properly cleaned on Windows. An attacker can use backslashes in filenames to bypass the sanitization check, which only recognizes forward slashes as path separators. This allows them to write files outside the intended upload folder, potentially overwriting important files or running malicious code. Linux and macOS are not affected because they treat backslashes as regular characters in filenames.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-w8wv-vfpc-hw2w","publishedAt":"2026-04-08T15:04:13.000Z","cveId":"CVE-2026-39844","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["nicegui@<= 3.9.0 (fixed: 3.10.0)"],"affectedVendors":[],"affectedVendorsRaw":["NiceGUI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-08T15:04:13.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":["AML.T0010"]}}