Nicegui
Monthly
NiceGUI versions prior to 3.8.0 are vulnerable to stored cross-site scripting (XSS) through multiple APIs that improperly handle user-controlled method names, allowing attackers to inject arbitrary JavaScript that executes in victims' browsers. The vulnerability stems from unsafe use of eval() and string interpolation in Element.run_method(), AgGrid.run_grid_method(), EChart.run_chart_method(), and related functions. A patch is available in version 3.8.0 and later.
Path traversal in NiceGUI before 3.7.0 allows remote attackers to write arbitrary files outside intended directories by exploiting unsanitized filename metadata in the FileUpload.name property, potentially leading to remote code execution when developers incorporate this value directly into file paths. Public exploit code exists for this vulnerability, affecting applications using common patterns like concatenating user-supplied filenames with upload directories. Developers are only protected if they use fixed paths, generate filenames server-side, or explicitly sanitize user input.
Cross-site scripting in NiceGUI's ui.markdown() component allows unauthenticated attackers to inject malicious HTML and JavaScript into applications that render user-controlled markdown content, as the component lacks built-in sanitization unlike other NiceGUI HTML rendering functions. Public exploit code exists for this vulnerability affecting NiceGUI versions before 3.7.0. Applications using ui.markdown() with untrusted input are vulnerable to session hijacking, credential theft, and other client-side attacks.
NiceGUI versions 2.10.0 through 3.4.1 fail to properly release Redis connections when users open and close browser tabs, allowing unauthenticated attackers to exhaust the Redis connection pool and degrade service functionality. An attacker can repeatedly trigger connection leaks without authentication, causing storage errors and degraded performance once connection limits are reached. Public exploit code exists for this vulnerability, which is patched in version 3.5.0.
NiceGUI versions 2.22.0 through 3.4.1 contain a cross-site DOM-based XSS vulnerability in the pushstate event listener for ui.sub_pages that allows attackers to manipulate URL fragment identifiers via iframe injection. Public exploit code exists for this vulnerability, and affected users should upgrade to version 3.5.0 or later as no patch is currently available for vulnerable versions.
NiceGUI versions 2.22.0 through 3.4.1 contain a stored cross-site scripting vulnerability in the click event listener of ui.sub_pages that executes attacker-controlled JavaScript when users click malicious links on the page. Public exploit code exists for this vulnerability, and affected users should upgrade to version 3.5.0 or later immediately. The vulnerability requires user interaction but can impact confidentiality and integrity with network-accessible exploitation.
Cross-site scripting (XSS) in NiceGUI versions 2.13.0 through 3.4.1 allows attackers to execute arbitrary JavaScript in users' browsers when applications pass untrusted input to the ui.navigate.history.push() or ui.navigate.history.replace() functions due to improper string escaping in generated JavaScript. Public exploit code exists for this vulnerability, and developers using affected versions should upgrade to 3.5.0 or later, or avoid passing user-controlled data to these navigation helpers. Applications that only use these functions with trusted, hardcoded URLs are unaffected.
NiceGUI versions prior to 3.8.0 are vulnerable to stored cross-site scripting (XSS) through multiple APIs that improperly handle user-controlled method names, allowing attackers to inject arbitrary JavaScript that executes in victims' browsers. The vulnerability stems from unsafe use of eval() and string interpolation in Element.run_method(), AgGrid.run_grid_method(), EChart.run_chart_method(), and related functions. A patch is available in version 3.8.0 and later.
Path traversal in NiceGUI before 3.7.0 allows remote attackers to write arbitrary files outside intended directories by exploiting unsanitized filename metadata in the FileUpload.name property, potentially leading to remote code execution when developers incorporate this value directly into file paths. Public exploit code exists for this vulnerability, affecting applications using common patterns like concatenating user-supplied filenames with upload directories. Developers are only protected if they use fixed paths, generate filenames server-side, or explicitly sanitize user input.
Cross-site scripting in NiceGUI's ui.markdown() component allows unauthenticated attackers to inject malicious HTML and JavaScript into applications that render user-controlled markdown content, as the component lacks built-in sanitization unlike other NiceGUI HTML rendering functions. Public exploit code exists for this vulnerability affecting NiceGUI versions before 3.7.0. Applications using ui.markdown() with untrusted input are vulnerable to session hijacking, credential theft, and other client-side attacks.
NiceGUI versions 2.10.0 through 3.4.1 fail to properly release Redis connections when users open and close browser tabs, allowing unauthenticated attackers to exhaust the Redis connection pool and degrade service functionality. An attacker can repeatedly trigger connection leaks without authentication, causing storage errors and degraded performance once connection limits are reached. Public exploit code exists for this vulnerability, which is patched in version 3.5.0.
NiceGUI versions 2.22.0 through 3.4.1 contain a cross-site DOM-based XSS vulnerability in the pushstate event listener for ui.sub_pages that allows attackers to manipulate URL fragment identifiers via iframe injection. Public exploit code exists for this vulnerability, and affected users should upgrade to version 3.5.0 or later as no patch is currently available for vulnerable versions.
NiceGUI versions 2.22.0 through 3.4.1 contain a stored cross-site scripting vulnerability in the click event listener of ui.sub_pages that executes attacker-controlled JavaScript when users click malicious links on the page. Public exploit code exists for this vulnerability, and affected users should upgrade to version 3.5.0 or later immediately. The vulnerability requires user interaction but can impact confidentiality and integrity with network-accessible exploitation.
Cross-site scripting (XSS) in NiceGUI versions 2.13.0 through 3.4.1 allows attackers to execute arbitrary JavaScript in users' browsers when applications pass untrusted input to the ui.navigate.history.push() or ui.navigate.history.replace() functions due to improper string escaping in generated JavaScript. Public exploit code exists for this vulnerability, and developers using affected versions should upgrade to 3.5.0 or later, or avoid passing user-controlled data to these navigation helpers. Applications that only use these functions with trusted, hardcoded URLs are unaffected.