{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21871", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T16:44:16.369Z", "datePublished": "2026-01-08T09:49:55.136Z", "dateUpdated": "2026-01-08T15:15:16.509Z"}, "containers": {"cna": {"title": "NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace()", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-7grm-h62g-5m97", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-7grm-h62g-5m97"}, {"name": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0"}], "affected": [{"vendor": "zauberzeug", "product": "nicegui", "versions": [{"version": ">= 2.13.0, < 3.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T09:49:55.136Z"}, "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim\u2019s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0."}], "source": {"advisory": "GHSA-7grm-h62g-5m97", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T15:14:43.571499Z", "id": "CVE-2026-21871", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T15:15:16.509Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21871", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T15:14:43.571499Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T15:15:07.046Z"}}], "cna": {"title": "NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace()", "source": {"advisory": "GHSA-7grm-h62g-5m97", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "zauberzeug", "product": "nicegui", "versions": [{"status": "affected", "version": ">= 2.13.0, < 3.5.0"}]}], "references": [{"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-7grm-h62g-5m97", "name": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-7grm-h62g-5m97", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0", "name": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim\u2019s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T09:49:55.136Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21871", "state": "PUBLISHED", "dateUpdated": "2026-01-08T15:15:16.509Z", "dateReserved": "2026-01-05T16:44:16.369Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-08T09:49:55.136Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*", "matchCriteriaId": "09329AA3-8C5E-402E-97FB-3BE65F4F0DF7", "versionEndExcluding": "3.5.0", "versionStartIncluding": "2.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim\u2019s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0."}], "id": "CVE-2026-21871", "lastModified": "2026-01-15T17:40:09.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-08T10:15:55.300", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-7grm-h62g-5m97"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:45:11.331813+00:00", "value": {"mitigation_remediation": ["Upgrade the NiceGUI installation to version 3.5.0 or newer, which includes proper escaping of URLs passed to ui.navigate.history.push() and ui.navigate.history.replace().", "Audit all application code that calls ui.navigate.history.push() or ui.navigate.history.replace() and ensure that any URLs coming from user input are sanitized or that untrusted data is never passed to these helpers.", "If an immediate upgrade is not feasible, remove or replace any calls to ui.navigate.history.push() or ui.navigate.history.replace() that use dynamic URLs, and use alternative navigation mechanisms that validate or escape the input."], "summary": {"action": "Patch Upgrade", "impact": "Cross\u2011Site Scripting (client\u2011side)"}, "threat_synthesis": {"affected_systems": "The affected product is NiceGUI, a Python\u2011based UI framework developed by zauberzeug. Versions from 2.13.0 up to and including 3.4.1 contain the flaw; these installations are vulnerable when untrusted input is passed to the navigation APIs. A fix is available in version 3.5.0 released by the vendor.", "description_and_impact": "NiceGUI versions 2.13.0 through 3.4.1 allow arbitrary JavaScript to be executed in a victim's browser if an attacker controls the string passed to ui.navigate.history.push() or ui.navigate.history.replace(). The framework generates JavaScript that embeds the supplied URL without proper escaping, enabling a crafted payload to break out of the intended string context. This flaw therefore enables cross\u2011site scripting attacks that could result in session hijacking, data theft, or malicious script execution on the client side.", "risk_and_exploitability": "The vulnerability carries a CVSS base score of 6.1 and an EPSS score of less than 1\u202f%, indicating a moderate severity and a very low current exploitation probability. The flaw is not listed in the CISA KEV catalog. Exploitation requires the web application to forward attacker\u2011controlled input to the navigation helpers; if the application never does so, the risk is effectively mitigated. The likely attack vector is client\u2011side through the browser, triggered by an attacker\u2011crafted URL that the application injects into the JavaScript context."}}}}, "created": "2026-01-09T13:25:36.249350+00:00", "updated": "2026-04-18T07:45:24.986009+00:00", "vendors": ["zauberzeug", "zauberzeug$PRODUCT$nicegui"]}