CVE-2026-21871
Unknown Unknown - Not Provided
Cross-Site Scripting in NiceGUI ui.navigate.history Methods

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description
NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-21871
EUVD
EUVD-2026-1478
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zauberzeug nicegui From 2.13.0 (inc) to 3.4.1 (inc)
zauberzeug nicegui 3.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a DOM-based Cross-Site Scripting (XSS) issue in the NiceGUI Python UI framework versions 2.13.0 to 3.4.1. It occurs when attacker-controlled strings are passed into the methods ui.navigate.history.push() or ui.navigate.history.replace(), which update the browser URL without reloading the page. Because the URL argument is embedded into generated JavaScript without proper escaping, an attacker can craft a payload that breaks out of the intended string context and executes arbitrary JavaScript in the victim's browser. This can lead to malicious script execution when a user interacts with the affected application. [2]

Impact Analysis

This vulnerability can lead to client-side code execution in the victim's browser, allowing attackers to run arbitrary JavaScript. This can result in phishing UI injection, theft of sensitive information, session hijacking, or other malicious actions typical of XSS attacks. It requires user interaction (such as clicking a button) but no special privileges. The scope is changed, meaning the attack can affect components beyond the intended boundaries, potentially compromising user trust and application integrity. [2]

Detection Guidance

Detection involves identifying if your application uses NiceGUI versions 2.13.0 to 3.4.1 and whether it passes untrusted input into ui.navigate.history.push() or ui.navigate.history.replace(). You can review your application code for usage of these methods with user-controlled input. Additionally, testing with crafted payloads containing JavaScript code in URL parameters or path segments that are forwarded to these methods can help detect the vulnerability. For example, you can simulate a URL with a payload that attempts to break out of the string context and observe if arbitrary JavaScript executes in the browser (e.g., an alert with document.domain). There are no specific network commands provided, but manual code review and browser-based testing with crafted URLs are recommended. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading NiceGUI to version 3.5.0 or later, where this vulnerability is fixed. If upgrading is not immediately possible, ensure that any input passed to ui.navigate.history.push() or ui.navigate.history.replace() is properly escaped or encoded to prevent injection of malicious JavaScript. Alternatively, avoid passing untrusted or attacker-controlled input into these methods. These steps will prevent the XSS attack vector by sanitizing user inputs related to URL handling. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21871. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart