CVE-2026-21871
MEDIUM
GHSA-7grm-h62g-5m97
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4Description
NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0.
Analysis
Cross-site scripting (XSS) in NiceGUI versions 2.13.0 through 3.4.1 allows attackers to execute arbitrary JavaScript in users' browsers when applications pass untrusted input to the ui.navigate.history.push() or ui.navigate.history.replace() functions due to improper string escaping in generated JavaScript. Public exploit code exists for this vulnerability, and developers using affected versions should upgrade to 3.5.0 or later, or avoid passing user-controlled data to these navigation helpers. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today