GHSA-w8wv-vfpc-hw2w: NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
mediumvulnerability
security
Summary
NiceGUI has a security flaw where file upload names aren't properly cleaned on Windows. An attacker can use backslashes in filenames to bypass the sanitization check, which only recognizes forward slashes as path separators. This allows them to write files outside the intended upload folder, potentially overwriting important files or running malicious code. Linux and macOS are not affected because they treat backslashes as regular characters in filenames.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
April 8, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
integrityavailability
Taxonomy References
MITRE ATLAS (AI/ML Threat Technique)
Affected Vendors
Affected Packages
nicegui@<= 3.9.0 (fixed: 3.10.0)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-w8wv-vfpc-hw2w
First tracked: April 8, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 75%