CVE-2026-25732 is a path traversal vulnerability classified under CWE-22 affecting the NiceGUI Python UI framework versions prior to 3.7.0. The vulnerability stems from the FileUpload.name property exposing client-supplied filename metadata without any sanitization. Developers commonly use the pattern of concatenating an upload directory path with the file.name property to save uploaded files. However, if the filename contains '../' sequences, it allows attackers to traverse directories and write files outside the intended upload directory. This can lead to overwriting critical files within the application or server environment, potentially enabling remote code execution if the overwritten files are executable or influence application behavior. The vulnerability requires no privileges or user interaction, making it remotely exploitable over the network. However, exploitation depends on the application developer's implementation; applications that use fixed filenames, generate safe filenames, or sanitize inputs are not vulnerable. The flaw was addressed in NiceGUI version 3.7.0 by implementing proper filename sanitization to prevent directory traversal. No known exploits are currently reported in the wild, but the vulnerability represents a significant security risk due to its potential impact and ease of exploitation in common deployment scenarios.

For European organizations, this vulnerability poses a serious risk to web applications built using NiceGUI versions prior to 3.7.0, especially those that handle file uploads without proper filename sanitization. Successful exploitation can lead to unauthorized file writes outside designated directories, enabling attackers to overwrite application files, inject malicious code, or disrupt application functionality. This can result in remote code execution, compromising the confidentiality and integrity of systems and data. Organizations in sectors with sensitive data or critical infrastructure are particularly at risk, as attackers could leverage this vulnerability to escalate privileges or establish persistent access. The impact extends to reputational damage, regulatory non-compliance (e.g., GDPR), and operational disruption. Given the vulnerability requires no authentication and no user interaction, the attack surface is broad, increasing the likelihood of exploitation if vulnerable applications are exposed to the internet.

European organizations should immediately upgrade all NiceGUI deployments to version 3.7.0 or later to ensure the vulnerability is patched. Where upgrading is not immediately feasible, developers must implement strict sanitization of all client-supplied filenames before incorporating them into filesystem paths. This includes removing or neutralizing directory traversal sequences such as '../' and restricting filenames to safe character sets. Additionally, adopting the use of generated or fixed filenames instead of client-supplied names can prevent exploitation. Implementing application-level controls such as sandboxing file upload directories, enforcing least privilege on file system permissions, and monitoring file system changes can further reduce risk. Security teams should audit existing applications for vulnerable usage patterns and conduct penetration testing to verify remediation. Finally, network-level protections like web application firewalls (WAFs) can be tuned to detect and block suspicious file upload requests containing traversal payloads.