CVE-2026-25516
Unknown Unknown - Not Provided

Cross-Site Scripting in NiceGUI ui.markdown() Component

Vulnerability report for CVE-2026-25516, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-06

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description

NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-06
Last Modified
2026-02-20
Generated
2026-07-06
AI Q&A
2026-02-07
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zauberzeug nicegui to 3.7.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the NiceGUI Python-based UI framework, specifically in the ui.markdown() component. This component uses the markdown2 library to convert markdown content to HTML, which is then rendered using innerHTML. By default, markdown2 allows raw HTML to pass through unchanged, meaning that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML, ui.markdown() does not provide or require a sanitize parameter, leaving applications vulnerable to cross-site scripting (XSS) attacks.

This vulnerability was fixed in version 3.7.0 of NiceGUI.

Impact Analysis

This vulnerability can allow attackers to inject malicious HTML and JavaScript into applications using the vulnerable ui.markdown() component. This can lead to cross-site scripting (XSS) attacks, which may result in unauthorized actions performed on behalf of users, theft of sensitive information such as cookies or session tokens, and potential compromise of user accounts or application integrity.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NiceGUI to version 3.7.0 or later, where the issue has been fixed.

Additionally, avoid rendering user-controlled content through the ui.markdown() component without proper sanitization, as it allows raw HTML and can lead to XSS attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart