{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33332", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.812Z", "datePublished": "2026-03-24T19:20:53.386Z", "dateUpdated": "2026-03-25T16:19:18.462Z"}, "containers": {"cna": {"title": "NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76"}, {"name": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b", "tags": ["x_refsource_MISC"], "url": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b"}, {"name": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0"}], "affected": [{"vendor": "zauberzeug", "product": "nicegui", "versions": [{"version": "< 3.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:20:53.386Z"}, "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0."}], "source": {"advisory": "GHSA-w5g8-5849-vj76", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T16:19:01.793986Z", "id": "CVE-2026-33332", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T16:19:18.462Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33332", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T16:19:01.793986Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T16:19:15.730Z"}}], "cna": {"title": "NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion", "source": {"advisory": "GHSA-w5g8-5849-vj76", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "zauberzeug", "product": "nicegui", "versions": [{"status": "affected", "version": "< 3.9.0"}]}], "references": [{"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76", "name": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b", "name": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0", "name": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:20:53.386Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33332", "state": "PUBLISHED", "dateUpdated": "2026-03-25T16:19:18.462Z", "dateReserved": "2026-03-18T22:15:11.812Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T19:20:53.386Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*", "matchCriteriaId": "07FAF148-5DBE-4936-A171-698A309AEE21", "versionEndExcluding": "3.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0."}], "id": "CVE-2026-33332", "lastModified": "2026-03-26T12:58:50.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:28.743", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.9.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nicegui", "source": "cna", "vendor": "zauberzeug"}, "product": "nicegui", "vendor": "zauberzeug"}], "analysis": {"en": {"generated_at": "2026-03-26T16:39:18.847229+00:00", "value": {"mitigation_remediation": ["Update NiceGUI to version 3.9.0 or later, which removes the unvalidated chunk size parameter.", "If an update is not immediately feasible, restrict public access to the media routes, or place a reverse proxy or firewall rule that limits or blocks requests to those endpoints, thereby preventing the vulnerability from being exercised."], "summary": {"action": "Immediate Patch", "impact": "Memory Exhaustion Leading to Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the zauberzeug NiceGUI framework. All releases older than 3.9.0 are impacted. The issue was fixed in the 3.9.0 release and is absent from subsequent versions.", "description_and_impact": "NiceGUI is a Python\u2011based UI framework whose media routes allow a user\u2011controlled query parameter to influence file streaming. Prior to version 3.9.0 this parameter is forwarded to the range\u2011response logic without validation, enabling an attacker to bypass chunked streaming and force the server to load entire media files into memory. The resulting excessive memory usage can degrade performance or trigger a denial of service.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate severity, while an EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. It can be exploited by sending HTTP requests to publicly exposed media routes with a crafted query parameter that forces the server to read full files into memory, which may exhaust RAM and disrupt service."}}}}, "created": "2026-03-25T11:46:17.675178+00:00", "updated": "2026-03-27T09:20:37.239244+00:00", "vendors": ["zauberzeug", "zauberzeug$PRODUCT$nicegui"]}