CVE-2026-21872
Cross-Site Scripting in NiceGUI ui.sub_pages Click Handler
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zauberzeug | nicegui | 3.5.0 |
| zauberzeug | nicegui | From 2.22.0 (inc) to 3.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting NiceGUI applications that use the `ui.sub_pages` feature and render user-controlled links. Specifically, look for JavaScript event listeners on anchor (`<a>`) elements with href attributes starting with `/` that intercept clicks and emit `sub_pages_navigate` events. To detect exploitation attempts, monitor for unusual JavaScript alert pop-ups triggered by clicking links with suspicious payloads like `/'"+alert(1)+"'`. You can also scan your application code for unsafe string interpolation of `self.current_path` in JavaScript contexts. Commands to assist detection might include using browser developer tools to inspect event listeners on links, or using grep to find vulnerable code patterns, for example: `grep -r "self.current_path" path/to/nicegui/` or `grep -r "sub_pages_navigate" path/to/nicegui/`. Additionally, monitoring web server logs for requests containing suspicious link patterns or unusual user interactions may help identify attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade NiceGUI to version 3.5.0 or later, where the vulnerability has been patched. If upgrading is not immediately possible, ensure that any user-controlled input rendered in links within `ui.sub_pages` is properly sanitized or escaped before being injected into JavaScript contexts to prevent string context breakout. Avoid rendering arbitrary user-provided links without validation. Additionally, educate users to avoid clicking suspicious links until the patch is applied. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-21872 is a Cross-Site Scripting (XSS) vulnerability in the NiceGUI Python UI framework, specifically in the `ui.sub_pages` feature. It occurs because the application unsafely inserts user-controlled link paths directly into JavaScript code without proper sanitization. When a user clicks on a maliciously crafted link rendered on the page, arbitrary JavaScript code can execute in the context of the application. This happens due to unsafe string interpolation in the click event listener and navigation handling code, allowing attackers to inject and run scripts. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of the affected NiceGUI application when a user clicks on a malicious link. This can lead to compromise of confidentiality and integrity of the application data, such as stealing sensitive information or manipulating the UI. However, the attack requires user interaction (clicking the link), and the impact on availability is none. The overall severity is moderate. [1]