CVE-2026-21873
Unknown Unknown - Not Provided

Cross-Site URL Fragment Manipulation in NiceGUI pushstate Component

Vulnerability report for CVE-2026-21873, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-07-06
AI Q&A
2026-01-08
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
zauberzeug nicegui From 2.22.0 (inc) to 3.4.1 (inc)
zauberzeug nicegui 3.5.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-21873 is a zero-click Cross-Site Scripting (XSS) vulnerability in the NiceGUI Python UI framework affecting versions 2.22.0 to 3.4.1. It arises from unsafe handling of the URL fragment identifier in the pushstate event listener used by the ui.sub_pages feature. An attacker can manipulate the fragment part of the URL when the NiceGUI app is embedded in an iframe, injecting arbitrary JavaScript code due to improper sanitization. This allows remote code execution in the context of the vulnerable application without any user interaction. [1]

Impact Analysis

This vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a vulnerable NiceGUI application embedded in an iframe. The impact includes potential compromise of confidentiality and integrity limited to what the highest privileged user in the app can access or modify. It does not affect availability. Since the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a high severity risk (CVSS 7.2). [1]

Detection Guidance

Detection involves identifying if your NiceGUI application is running a vulnerable version (>=2.22.0 and <=3.4.1) and if it uses the ui.sub_pages feature. You can check the NiceGUI version by running a command like `pip show nicegui` in your environment. Additionally, monitoring HTTP requests for suspicious URL fragments containing unusual or malicious JavaScript payloads in iframe contexts may help detect exploitation attempts. There are no specific commands provided for direct detection of the vulnerability itself. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Avoid using the ui.sub_pages feature until you upgrade. 2) Block iframe embedding of your NiceGUI app by adding middleware to set the HTTP header `X-Frame-Options: DENY`. 3) Upgrade NiceGUI to version 3.5.0 or later where the vulnerability is patched. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart