CVE-2026-25732 is a path traversal vulnerability classified under CWE-22, affecting the NiceGUI Python UI framework versions before 3.7.0. The vulnerability stems from the FileUpload.name property exposing the raw filename metadata supplied by clients without any sanitization. Developers commonly use this property to construct file paths by concatenating an upload directory path with the uploaded filename (e.g., UPLOAD_DIR / file.name). Because the filename is not sanitized, an attacker can include directory traversal sequences such as '../' in the filename, enabling them to write files outside the intended upload directory. This can lead to overwriting critical application files or placing malicious files in sensitive locations, potentially resulting in remote code execution if the application later executes or loads these files. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely. However, exploitation depends on the developer’s implementation pattern; applications that use fixed filenames, generate safe filenames, or sanitize the filename input are not vulnerable. The flaw is a common security pitfall in community coding practices involving file uploads. The issue was addressed and fixed in NiceGUI version 3.7.0. No known exploits are reported in the wild as of the publication date. The CVSS v3.1 score is 7.5 (high), reflecting the ease of remote exploitation and the potential for integrity compromise without impacting confidentiality or availability.

For European organizations, this vulnerability poses a significant risk to web applications built with vulnerable versions of NiceGUI that handle file uploads. Successful exploitation can lead to unauthorized file writes outside designated directories, potentially overwriting application files or placing malicious payloads on the server. This can result in remote code execution, allowing attackers to take control of affected systems, escalate privileges, or move laterally within networks. The impact is particularly severe for organizations that deploy NiceGUI-based applications in critical sectors such as finance, healthcare, or government, where data integrity and system trustworthiness are paramount. Additionally, compromised systems may lead to regulatory non-compliance under GDPR if personal data is altered or systems are disrupted. The vulnerability’s ease of exploitation without authentication increases the attack surface, especially for externally facing applications. However, the impact is mitigated if developers have implemented proper filename sanitization or use fixed/generated filenames. Organizations relying on community-developed or open-source applications should audit their codebases for this pattern to prevent exploitation.

The primary mitigation is to upgrade all NiceGUI deployments to version 3.7.0 or later, where the vulnerability is fixed. For organizations unable to upgrade immediately, developers should implement strict sanitization of uploaded filenames by removing or neutralizing directory traversal sequences such as '../' before using them in filesystem paths. Alternatively, applications should avoid using client-supplied filenames directly; instead, generate safe, unique filenames (e.g., UUIDs or hashes) for storage. Employing sandboxed or chrooted environments for file uploads can limit the impact of any traversal attempts. Additionally, implement robust monitoring and alerting for unexpected file writes outside designated directories. Security teams should audit existing applications for unsafe file path constructions and review code patterns involving FileUpload.name usage. Finally, applying the principle of least privilege to file system permissions can reduce the potential damage from exploitation.