{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-16T10:15:24.952","vulnerabilities":[{"cve":{"id":"CVE-2026-33332","sourceIdentifier":"security-advisories@github.com","published":"2026-03-24T20:16:28.743","lastModified":"2026-03-26T12:58:50.417","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0."},{"lang":"es","value":"NiceGUI es un framework de UI basado en Python. Antes de la versión 3.9.0, las rutas de medios app.add_media_file() y app.add_media_files() de NiceGUI aceptan un parámetro de consulta controlado por el usuario que influye en cómo se leen los archivos durante la transmisión. El parámetro se pasa a la implementación de respuesta de rango sin validación, permitiendo a un atacante eludir la transmisión por bloques y forzar al servidor a cargar archivos completos en la memoria de una sola vez. Con archivos multimedia grandes y solicitudes concurrentes, esto puede llevar a un consumo excesivo de memoria, un rendimiento degradado o denegación de servicio. Este problema ha sido parcheado en la versión 3.9.0."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-770"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*","versionEndExcluding":"3.9.0","matchCriteriaId":"07FAF148-5DBE-4936-A171-698A309AEE21"}]}]}],"references":[{"url":"https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}}]}