CVE-2026-21873
Cross-Site URL Fragment Manipulation in NiceGUI pushstate Component
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zauberzeug | nicegui | From 2.22.0 (inc) to 3.4.1 (inc) |
| zauberzeug | nicegui | 3.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21873 is a zero-click Cross-Site Scripting (XSS) vulnerability in the NiceGUI Python UI framework affecting versions 2.22.0 to 3.4.1. It arises from unsafe handling of the URL fragment identifier in the pushstate event listener used by the ui.sub_pages feature. An attacker can manipulate the fragment part of the URL when the NiceGUI app is embedded in an iframe, injecting arbitrary JavaScript code due to improper sanitization. This allows remote code execution in the context of the vulnerable application without any user interaction. [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a vulnerable NiceGUI application embedded in an iframe. The impact includes potential compromise of confidentiality and integrity limited to what the highest privileged user in the app can access or modify. It does not affect availability. Since the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a high severity risk (CVSS 7.2). [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if your NiceGUI application is running a vulnerable version (>=2.22.0 and <=3.4.1) and if it uses the ui.sub_pages feature. You can check the NiceGUI version by running a command like `pip show nicegui` in your environment. Additionally, monitoring HTTP requests for suspicious URL fragments containing unusual or malicious JavaScript payloads in iframe contexts may help detect exploitation attempts. There are no specific commands provided for direct detection of the vulnerability itself. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Avoid using the ui.sub_pages feature until you upgrade. 2) Block iframe embedding of your NiceGUI app by adding middleware to set the HTTP header `X-Frame-Options: DENY`. 3) Upgrade NiceGUI to version 3.5.0 or later where the vulnerability is patched. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.