CVE-2026-21871
Cross-Site Scripting in NiceGUI ui.navigate.history Methods
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zauberzeug | nicegui | From 2.13.0 (inc) to 3.4.1 (inc) |
| zauberzeug | nicegui | 3.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a DOM-based Cross-Site Scripting (XSS) issue in the NiceGUI Python UI framework versions 2.13.0 to 3.4.1. It occurs when attacker-controlled strings are passed into the methods ui.navigate.history.push() or ui.navigate.history.replace(), which update the browser URL without reloading the page. Because the URL argument is embedded into generated JavaScript without proper escaping, an attacker can craft a payload that breaks out of the intended string context and executes arbitrary JavaScript in the victim's browser. This can lead to malicious script execution when a user interacts with the affected application. [2]
How can this vulnerability impact me? :
This vulnerability can lead to client-side code execution in the victim's browser, allowing attackers to run arbitrary JavaScript. This can result in phishing UI injection, theft of sensitive information, session hijacking, or other malicious actions typical of XSS attacks. It requires user interaction (such as clicking a button) but no special privileges. The scope is changed, meaning the attack can affect components beyond the intended boundaries, potentially compromising user trust and application integrity. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if your application uses NiceGUI versions 2.13.0 to 3.4.1 and whether it passes untrusted input into ui.navigate.history.push() or ui.navigate.history.replace(). You can review your application code for usage of these methods with user-controlled input. Additionally, testing with crafted payloads containing JavaScript code in URL parameters or path segments that are forwarded to these methods can help detect the vulnerability. For example, you can simulate a URL with a payload that attempts to break out of the string context and observe if arbitrary JavaScript executes in the browser (e.g., an alert with document.domain). There are no specific network commands provided, but manual code review and browser-based testing with crafted URLs are recommended. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading NiceGUI to version 3.5.0 or later, where this vulnerability is fixed. If upgrading is not immediately possible, ensure that any input passed to ui.navigate.history.push() or ui.navigate.history.replace() is properly escaped or encoded to prevent injection of malicious JavaScript. Alternatively, avoid passing untrusted or attacker-controlled input into these methods. These steps will prevent the XSS attack vector by sanitizing user inputs related to URL handling. [1, 2]