What is the CVSS score of CVE-2026-21873?

CVE-2026-21873 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Python are affected by CVE-2026-21873?

Organizations using NiceGUI face moderate risk from CVE-2026-21873, a cross-site scripting vulnerability rated CVSS 7.2.. A patch is available.

Is there a public PoC exploit available for CVE-2026-21873?

Yes, a public proof-of-concept exploit is available for CVE-2026-21873. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-21873?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Verify anti-CSRF tokens and content security policies are enforced.

Python CVE-2026-21873

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-01-08 security-advisories@github.com

GHSA-mhpg-c27v-6mxr

Python Nicegui

7.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.2 HIGH

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 15, 2026 - 17:45 vuln.today

Public exploit code

CVE Published

Jan 08, 2026 - 10:15 nvd

HIGH 7.2

DescriptionGitHub Advisory

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.

AnalysisAI

NiceGUI versions 2.22.0 through 3.4.1 contain a cross-site DOM-based XSS vulnerability in the pushstate event listener for ui.sub_pages that allows attackers to manipulate URL fragment identifiers via iframe injection. Public exploit code exists for this vulnerability, and affected users should upgrade to version 3.5.0 or later as no patch is currently available for vulnerable versions.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Host malicious iframe on external site

Exploit

Manipulate URL fragment identifier cross-site

Execution

Trigger unsafe pushstate event listener

Impact

Inject malicious content into NiceGUI application

Access

Host malicious iframe on external site

Exploit

Manipulate URL fragment identifier cross-site

Execution

Trigger unsafe pushstate event listener

Impact

Inject malicious content into NiceGUI application

Vulnerability AssessmentAI

Exploitation	NiceGUI versions 2.22.0 to 3.4.1 with ui.sub_pages feature enabled; application rendered in iframe context allowing cross-site fragment manipulation; no authentication required. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.2 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to manipulate the fragment identifier of the URL, which they can do despite being c.
Remediation	Fixed in version 3.5.0.. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48039 CRITICAL Act Now POC

9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-48519 CRITICAL Act Now

9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co

CVE-2026-45833 CRITICAL Act Now

9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U

CVE-2026-47103 CRITICAL Act Now

9.3 Jun 17

Remote code execution in python-statemachine 3.0.0 through 3.1.x allows attackers to run arbitrary Python in the host pr

CVE-2026-21873 vulnerability details – vuln.today

Back

Python CVE-2026-21873

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code