CVE-2026-21871

Medium CVSS: 6.1

NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0.

Vendor

Zauberzeug

Product

Nicegui

CWE

CWE-79

Yayın Tarihi

2026-01-08 10:15:55

Güncelleme

2026-01-15 17:40:09

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Nicegui MEDIUM Zauberzeug 2026

Referanslar

https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 https://github.com/zauberzeug/nicegui/security/advisories/GHSA-7grm-h62g-5m97

Benzer Kayıtlar

Medium

CVE-2026-33332

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files()…

Medium

CVE-2026-27156

NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side…

Medium

CVE-2026-25516

NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown conte…

High

CVE-2026-25732

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filen…

Medium

CVE-2026-21872

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event liste…

High

CVE-2026-21873

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event l…