Description
NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.
Published: 2026-02-24
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side code execution via XSS
Action: Patch Now
AI Analysis

Impact

NiceGUI, a Python‑based UI framework, has a flaw in several client‑side APIs that execute element methods. Before version 3.8.0, these APIs use an JavaScript eval fallback and interpolate user‑supplied method names directly into strings. An attacker can supply arbitrary JavaScript as the method name, causing it to run in the victim’s browser. This cross‑site scripting flaw allows an attacker to execute any script in the context of the affected webpage, potentially compromising confidential data, hijacking sessions, and performing unauthorized actions on behalf of the user.

Affected Systems

All versions of Zauberzeug NiceGUI prior to 3.8.0 are vulnerable. The issue exists in Element.run_method(), AgGrid.run_grid_method(), EChart.run_chart_method(), Element.get_computed_prop(), and related APIs.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, but EPSS is below 1 %, marking a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred from the description: an attacker must supply malicious input to one of the vulnerable APIs, which in turn renders the input as executable JavaScript in the client. The attacker needs the victim to load the page or submit data that contains the crafted method name, so risk is moderate but the exploitation likelihood is low.

Generated by OpenCVE AI on April 17, 2026 at 15:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NiceGUI to version 3.8.0 or later to apply the vendor’s fix.
  • Restrict the use of Element.run_method, AgGrid.run_grid_method, EChart.run_chart_method, and Element.get_computed_prop to trusted, validated inputs only.
  • Implement input validation or sanitization on method names to ensure only legitimate identifiers are accepted, mitigating the risk of code injection.

Generated by OpenCVE AI on April 17, 2026 at 15:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-78qv-3mpx-9cqq NiceGUI vulnerable to XSS via Code Injection during client-side element function execution
History

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Zauberzeug
Zauberzeug nicegui
Vendors & Products Zauberzeug
Zauberzeug nicegui

Tue, 24 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.
Title NiceGUI has XSS via Code Injection
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Zauberzeug Nicegui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T21:33:40.507Z

Reserved: 2026-02-18T00:18:53.962Z

Link: CVE-2026-27156

cve-icon Vulnrichment

Updated: 2026-02-26T21:06:45.535Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T18:29:33.490

Modified: 2026-02-26T18:10:00.633

Link: CVE-2026-27156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses