CVE-2026-25516
Unknown Unknown - Not Provided
Cross-Site Scripting in NiceGUI ui.markdown() Component

Publication date: 2026-02-06

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-20
Generated
2026-05-07
AI Q&A
2026-02-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25516
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zauberzeug nicegui to 3.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in the NiceGUI Python-based UI framework, specifically in the ui.markdown() component. This component uses the markdown2 library to convert markdown content to HTML, which is then rendered using innerHTML. By default, markdown2 allows raw HTML to pass through unchanged, meaning that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML, ui.markdown() does not provide or require a sanitize parameter, leaving applications vulnerable to cross-site scripting (XSS) attacks.

This vulnerability was fixed in version 3.7.0 of NiceGUI.


How can this vulnerability impact me? :

This vulnerability can allow attackers to inject malicious HTML and JavaScript into applications using the vulnerable ui.markdown() component. This can lead to cross-site scripting (XSS) attacks, which may result in unauthorized actions performed on behalf of users, theft of sensitive information such as cookies or session tokens, and potential compromise of user accounts or application integrity.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade NiceGUI to version 3.7.0 or later, where the issue has been fixed.

Additionally, avoid rendering user-controlled content through the ui.markdown() component without proper sanitization, as it allows raw HTML and can lead to XSS attacks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart