XSS Vulnerability in NiceGUI Python Framework for UI Design

CVE-2025-66470

What is CVE-2025-66470?

The NiceGUI framework, a Python-based solution for creating user interfaces, is vulnerable to a Cross-Site Scripting (XSS) attack in versions 3.3.1 and earlier. This vulnerability stems from the usage of Vue's v-html directive within the ui.interactive_image component, which renders SVG content without adequate sanitization. Attackers can exploit this oversight by injecting malicious HTML or JavaScript through the SVG tag upon rendering or updating the image component. This poses significant risks, particularly in dashboards and multi-user applications that showcase user-generated content or annotations, as it can lead to unauthorized data manipulation or phishing attempts. Users are encouraged to upgrade to version 3.4.0 to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References