{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21872", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T16:44:16.369Z", "datePublished": "2026-01-08T09:50:02.801Z", "dateUpdated": "2026-01-08T15:13:11.652Z"}, "containers": {"cna": {"title": "NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9"}, {"name": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0"}], "affected": [{"vendor": "zauberzeug", "product": "nicegui", "versions": [{"version": ">= 2.22.0, < 3.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T09:50:02.801Z"}, "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0."}], "source": {"advisory": "GHSA-m7j5-rq9j-6jj9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T15:12:53.988468Z", "id": "CVE-2026-21872", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T15:13:11.652Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21872", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T15:12:53.988468Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T15:13:00.614Z"}}], "cna": {"title": "NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links", "source": {"advisory": "GHSA-m7j5-rq9j-6jj9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "zauberzeug", "product": "nicegui", "versions": [{"status": "affected", "version": ">= 2.22.0, < 3.5.0"}]}], "references": [{"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9", "name": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0", "name": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T09:50:02.801Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21872", "state": "PUBLISHED", "dateUpdated": "2026-01-08T15:13:11.652Z", "dateReserved": "2026-01-05T16:44:16.369Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-08T09:50:02.801Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*", "matchCriteriaId": "37903F79-6269-4F0A-939A-36F3E3CC41B3", "versionEndExcluding": "3.5.0", "versionStartIncluding": "2.22.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0."}], "id": "CVE-2026-21872", "lastModified": "2026-01-15T17:41:02.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-08T10:15:55.470", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:45:06.532486+00:00", "value": {"mitigation_remediation": ["Upgrade NiceGUI to version 3.5.0 or later to eliminate the unsafe click event handling.", "If upgrading immediately is not possible, sanitize or encode all user\u2011provided URLs rendered through ui.sub_pages to prevent injection of executable script tags.", "Add a content\u2011security\u2011policy header that restricts script execution to trusted origins and disallows inline scripts to mitigate the impact of any remaining XSS vectors."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011site scripting via ui.sub_pages click event"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Python\u2011based NiceGUI UI framework from versions 2.22.0 through 3.4.1 released by zauberzeug. All deployments that use these affected releases and permit user\u2011controlled links to be rendered via ui.sub_pages are at risk until patched to version 3.5.0 or newer.", "description_and_impact": "An unsafe implementation in NiceGUI\u2019s click event listener tied to the ui.sub_pages component allows an attacker to embed a link that, when clicked by a user, triggers the browser to execute attacker\u2011controlled JavaScript code. This results in client\u2011side cross\u2011site scripting, enabling arbitrary JavaScript execution within the victim\u2019s browser context when the link is activated.", "risk_and_exploitability": "The CVSS score is 6.1, indicating a medium severity. The EPSS score is below 1\u202f%, suggesting a low but non\u2011zero likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. The likely attack vector is local client\u2011side XSS, requiring the victim to click a crafted link; thus, it is an in\u2011browser exploitation that relies on user interaction."}}}}, "created": "2026-01-09T13:25:38.129818+00:00", "updated": "2026-04-18T17:00:05.556571+00:00", "vendors": ["zauberzeug", "zauberzeug$PRODUCT$nicegui"]}