Cross-Site Scripting Vulnerability in NiceGUI Python Framework by Zauberzeug
CVE-2026-21872

6.1MEDIUM

Key Information:

Vendor: Zauberzeug
Status: Nicegui
Vendor: CVE Published:; 8 January 2026

What is CVE-2026-21872?

A cross-site scripting (XSS) vulnerability exists in the NiceGUI framework, affecting versions between 2.22.0 and 3.4.1. This issue arises from an unsafe click event handler linked to ui.sub_pages, which permits an attacker to render links controlled by them. When users click these links, malicious scripts can execute within the context of their browser sessions, posing a risk of unauthorized data exposure or session hijacking. Users are urged to upgrade to version 3.5.0 or later to mitigate this risk.

Affected Version(s)

nicegui >= 2.22.0, < 3.5.0

References

https://github.com/zauberzeug/nicegui/security/advisories...

x_refsource_CONFIRM

https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 8, 2026
Vulnerability Reserved
Jan 5, 2026

CVE-2026-21872 Data

JSON