CVE-2026-21873
Unknown Unknown - Not Provided
Cross-Site URL Fragment Manipulation in NiceGUI pushstate Component

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21873
EUVD
EUVD-2026-1475
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zauberzeug nicegui From 2.22.0 (inc) to 3.4.1 (inc)
zauberzeug nicegui 3.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21873 is a zero-click Cross-Site Scripting (XSS) vulnerability in the NiceGUI Python UI framework affecting versions 2.22.0 to 3.4.1. It arises from unsafe handling of the URL fragment identifier in the pushstate event listener used by the ui.sub_pages feature. An attacker can manipulate the fragment part of the URL when the NiceGUI app is embedded in an iframe, injecting arbitrary JavaScript code due to improper sanitization. This allows remote code execution in the context of the vulnerable application without any user interaction. [1]

Impact Analysis

This vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a vulnerable NiceGUI application embedded in an iframe. The impact includes potential compromise of confidentiality and integrity limited to what the highest privileged user in the app can access or modify. It does not affect availability. Since the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a high severity risk (CVSS 7.2). [1]

Detection Guidance

Detection involves identifying if your NiceGUI application is running a vulnerable version (>=2.22.0 and <=3.4.1) and if it uses the ui.sub_pages feature. You can check the NiceGUI version by running a command like `pip show nicegui` in your environment. Additionally, monitoring HTTP requests for suspicious URL fragments containing unusual or malicious JavaScript payloads in iframe contexts may help detect exploitation attempts. There are no specific commands provided for direct detection of the vulnerability itself. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Avoid using the ui.sub_pages feature until you upgrade. 2) Block iframe embedding of your NiceGUI app by adding middleware to set the HTTP header `X-Frame-Options: DENY`. 3) Upgrade NiceGUI to version 3.5.0 or later where the vulnerability is patched. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart