CVE-2026-21873 - Vulnerability Details

- Zero-click XSS in all NiceGUI apps which uses `ui.sub_pages`

Description

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.

Published: 2026-01-08

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

NiceGUI, a Python UI framework, contains an unsafe pushstate event listener used by ui.sub_pages. The listener incorrectly handles changes to the fragment identifier of the URL. An attacker can exploit this flaw by loading the application in a cross‑site iframe and manipulating the fragment without user interaction. The result is a zero‑click XSS vulnerability that can inject arbitrary script into the victim’s browser, enabling session hijacking, credential theft, or defacement of the application.

Affected Systems

Applications built with Zauberzeug NiceGUI versions from 2.22.0 up to 3.4.1 that use ui.sub_pages are affected. All such deployments are vulnerable regardless of the host or domain, as the flaw resides in the framework’s client‑side code.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate‑to‑high severity. The EPSS score is below 1%, suggesting a low likelihood of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw can be triggered without any user interaction from a cross‑site iframe, it is effectively zero‑click and can be executed by remote attackers who control a malicious site. The patch was released in NiceGUI 3.5.0; lacking the fix an attacker can simply craft a malicious page that embeds the target application and sets the fragment identifier to trigger script injection.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

zauberzeug

nicegui

affected

Version	Status	Constraints
`>= 2.22.0, < 3.5.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Zauberzeug	Nicegui	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade NiceGUI to version 3.5.0 or later to eliminate the fault in the pushstate listener.
If an upgrade cannot be performed immediately, remove or disable the use of ui.sub_pages in the application to prevent the vulnerable fragment manipulation.
Implement a strict Content Security Policy that disallows inline scripts and unsafe eval features to mitigate the impact of any remaining XSS vectors.

Generated by OpenCVE AI on April 18, 2026 at 07:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-mhpg-c27v-6mxr	NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxr

History

Thu, 15 Jan 2026 18:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:zauberzeug:nicegui::::::::

Fri, 09 Jan 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zauberzeug Zauberzeug nicegui
Vendors & Products		Zauberzeug Zauberzeug nicegui

Thu, 08 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 08 Jan 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description		NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.
Title		Zero-click XSS in all NiceGUI apps which uses `ui.sub_pages`
Weaknesses		CWE-79
References		https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxr
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Zauberzeug Nicegui

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-08T09:50:23.361Z

Updated: 2026-01-08T15:11:24.092Z

Reserved: 2026-01-05T16:44:16.369Z

Link: CVE-2026-21873

Vulnrichment

Updated: 2026-01-08T15:11:18.086Z

NVD

Status : Analyzed

Published: 2026-01-08T10:15:55.617

Modified: 2026-01-15T17:45:57.000

Link: CVE-2026-21873

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object