Description
NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0.
Published: 2026-01-08
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (client‑side)
Action: Patch Upgrade
AI Analysis

Impact

NiceGUI versions 2.13.0 through 3.4.1 allow arbitrary JavaScript to be executed in a victim's browser if an attacker controls the string passed to ui.navigate.history.push() or ui.navigate.history.replace(). The framework generates JavaScript that embeds the supplied URL without proper escaping, enabling a crafted payload to break out of the intended string context. This flaw therefore enables cross‑site scripting attacks that could result in session hijacking, data theft, or malicious script execution on the client side.

Affected Systems

The affected product is NiceGUI, a Python‑based UI framework developed by zauberzeug. Versions from 2.13.0 up to and including 3.4.1 contain the flaw; these installations are vulnerable when untrusted input is passed to the navigation APIs. A fix is available in version 3.5.0 released by the vendor.

Risk and Exploitability

The vulnerability carries a CVSS base score of 6.1 and an EPSS score of less than 1 %, indicating a moderate severity and a very low current exploitation probability. The flaw is not listed in the CISA KEV catalog. Exploitation requires the web application to forward attacker‑controlled input to the navigation helpers; if the application never does so, the risk is effectively mitigated. The likely attack vector is client‑side through the browser, triggered by an attacker‑crafted URL that the application injects into the JavaScript context.

Generated by OpenCVE AI on April 18, 2026 at 07:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NiceGUI installation to version 3.5.0 or newer, which includes proper escaping of URLs passed to ui.navigate.history.push() and ui.navigate.history.replace().
  • Audit all application code that calls ui.navigate.history.push() or ui.navigate.history.replace() and ensure that any URLs coming from user input are sanitized or that untrusted data is never passed to these helpers.
  • If an immediate upgrade is not feasible, remove or replace any calls to ui.navigate.history.push() or ui.navigate.history.replace() that use dynamic URLs, and use alternative navigation mechanisms that validate or escape the input.

Generated by OpenCVE AI on April 18, 2026 at 07:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7grm-h62g-5m97 NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace()
History

Thu, 15 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Zauberzeug
Zauberzeug nicegui
Vendors & Products Zauberzeug
Zauberzeug nicegui

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
Description NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0.
Title NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace()
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Zauberzeug Nicegui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T15:15:16.509Z

Reserved: 2026-01-05T16:44:16.369Z

Link: CVE-2026-21871

cve-icon Vulnrichment

Updated: 2026-01-08T15:15:07.046Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T10:15:55.300

Modified: 2026-01-15T17:40:09.563

Link: CVE-2026-21871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses