CVE-2026-33332

MEDIUM
2026-03-19 https://github.com/zauberzeug/nicegui GHSA-w5g8-5849-vj76
6.9
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 19, 2026 - 19:00 vuln.today
CVE Published
Mar 19, 2026 - 18:48 nvd
MEDIUM 6.9

Tags

Denial Of Service

Description

## Summary NiceGUI's `app.add_media_file()` and `app.add_media_files()` media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. ## Impact **Affected applications:** NiceGUI applications that serve media content via `app.add_media_file()` or `app.add_media_files()`, particularly those serving large files (video, audio). **What an attacker can do:** - Force the server to load entire files into memory instead of streaming them in chunks - Amplify memory usage with concurrent requests to large media files - Cause performance degradation, memory pressure, and potential OOM conditions **Attack difficulty:** Low - requires only a crafted query parameter. ## Remediation Upgrade to a patched version of NiceGUI. As a workaround, restrict access to media endpoints or strip unexpected query parameters at a reverse proxy layer.

Analysis

NiceGUI's media file serving functions fail to validate user-supplied query parameters used in range-response handling, allowing attackers to bypass streaming protections and force servers to load entire files into memory simultaneously. Applications using app.add_media_file() or app.add_media_files() to serve large media content are vulnerable to denial of service through memory exhaustion and performance degradation when handling concurrent malicious requests. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

35
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +34
POC: 0

Share

CVE-2026-33332 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy