Description
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.
Published: 2026-01-08
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting via ui.sub_pages click event
Action: Apply Patch
AI Analysis

Impact

An unsafe implementation in NiceGUI’s click event listener tied to the ui.sub_pages component allows an attacker to embed a link that, when clicked by a user, triggers the browser to execute attacker‑controlled JavaScript code. This results in client‑side cross‑site scripting, enabling arbitrary JavaScript execution within the victim’s browser context when the link is activated.

Affected Systems

The vulnerability affects the Python‑based NiceGUI UI framework from versions 2.22.0 through 3.4.1 released by zauberzeug. All deployments that use these affected releases and permit user‑controlled links to be rendered via ui.sub_pages are at risk until patched to version 3.5.0 or newer.

Risk and Exploitability

The CVSS score is 6.1, indicating a medium severity. The EPSS score is below 1 %, suggesting a low but non‑zero likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. The likely attack vector is local client‑side XSS, requiring the victim to click a crafted link; thus, it is an in‑browser exploitation that relies on user interaction.

Generated by OpenCVE AI on April 18, 2026 at 16:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NiceGUI to version 3.5.0 or later to eliminate the unsafe click event handling.
  • If upgrading immediately is not possible, sanitize or encode all user‑provided URLs rendered through ui.sub_pages to prevent injection of executable script tags.
  • Add a content‑security‑policy header that restricts script execution to trusted origins and disallows inline scripts to mitigate the impact of any remaining XSS vectors.

Generated by OpenCVE AI on April 18, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m7j5-rq9j-6jj9 NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links
History

Thu, 15 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Zauberzeug
Zauberzeug nicegui
Vendors & Products Zauberzeug
Zauberzeug nicegui

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
Description NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.
Title NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Zauberzeug Nicegui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T15:13:11.652Z

Reserved: 2026-01-05T16:44:16.369Z

Link: CVE-2026-21872

cve-icon Vulnrichment

Updated: 2026-01-08T15:13:00.614Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T10:15:55.470

Modified: 2026-01-15T17:41:02.210

Link: CVE-2026-21872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses