CVE-2026-45554
5.3 MEDIUMNiceGUI is a Python-based UI framework
Published: 2026-06-02 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- CWE
- CWE-248, CWE-770
Description
NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. This issue has been patched in version 3.12.0.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-24720 — An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6
- CVE-2026-46545 — Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm (7.5 HIGH)
- CVE-2026-46411 — FlashMQ is a MQTT broker/server, designed for multi-CPU environments (6.5 MEDIUM)
- CVE-2026-41726 — When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with uniqu... (6.5 MEDIUM)
- CVE-2026-41716 — Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhau... (7.5 HIGH)