CVE-2026-25516
Unknown Unknown - Not Provided
Cross-Site Scripting in NiceGUI ui.markdown() Component

Publication date: 2026-02-06

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25516
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zauberzeug nicegui to 3.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the NiceGUI Python-based UI framework, specifically in the ui.markdown() component. This component uses the markdown2 library to convert markdown content to HTML, which is then rendered using innerHTML. By default, markdown2 allows raw HTML to pass through unchanged, meaning that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML, ui.markdown() does not provide or require a sanitize parameter, leaving applications vulnerable to cross-site scripting (XSS) attacks.

This vulnerability was fixed in version 3.7.0 of NiceGUI.

Impact Analysis

This vulnerability can allow attackers to inject malicious HTML and JavaScript into applications using the vulnerable ui.markdown() component. This can lead to cross-site scripting (XSS) attacks, which may result in unauthorized actions performed on behalf of users, theft of sensitive information such as cookies or session tokens, and potential compromise of user accounts or application integrity.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NiceGUI to version 3.7.0 or later, where the issue has been fixed.

Additionally, avoid rendering user-controlled content through the ui.markdown() component without proper sanitization, as it allows raw HTML and can lead to XSS attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart