A vulnerability in NiceGUI, a Python-based UI framework, tracked as CVE-2026-45554, could allow attackers to trigger uncaught exceptions through two FastAPI routes that serve per-component static assets. The vulnerability carries a CVSS score of 5.3 and affects NiceGUI versions prior to 3.12.0.
What Is the Vulnerability?
CVE-2026-45554 is an uncaught exception vulnerability in two FastAPI routes within NiceGUI that handle per-component static asset serving. NiceGUI is a Python framework for building web-based user interfaces, used for creating dashboards, data applications, and interactive tools. When these static asset routes receive crafted requests, they can throw uncaught exceptions that may expose internal application information or cause service disruption.
The vulnerability is classified under CWE-248 (Uncaught Exception). While the CVSS score of 5.3 reflects a medium severity, the exposure of internal application details through exception messages can aid attackers in reconnaissance and planning further attacks against the application.
- CVSS v3.1 Score: 5.3 (Medium)
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Impact: Low on confidentiality, none on integrity, none on availability (C:L/I:N/A:N)
Which Versions Are Affected?
The vulnerability affects NiceGUI:
- NiceGUI: all versions prior to 3.12.0
The fix was released in NiceGUI version 3.12.0.
Is It Being Exploited in the Wild?
No active exploitation has been publicly reported.
What Is the Fix?
Update NiceGUI to version 3.12.0 or later via pip:
pip install --upgrade nicegui>=3.12.0
Verify the installed version with pip show nicegui. The response should show version 3.12.0 or later.
Recommendations
Update NiceGUI to 3.12.0. Apply the update as part of your routine dependency management cycle. NiceGUI applications that are internet-facing should be prioritised, as the information disclosure through uncaught exceptions is most useful to external attackers performing reconnaissance.
Review exception handling in deployed NiceGUI applications. Even after updating the framework, ensure your application-level code handles exceptions gracefully and does not expose stack traces or internal paths to end users. Configure your deployment to use production error pages rather than development-level debug output.
References
This advisory is covered in the broader Vulnerability Intelligence Report — June 3, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.
