Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27156 is a Cross-Site Scripting (XSS) vulnerability in the NiceGUI Python-based UI framework versions prior to 3.8.0. Several NiceGUI APIs that execute methods on client-side elements, such as Element.run_method(), AgGrid.run_grid_method(), and EChart.run_chart_method(), used a JavaScript fallback involving the unsafe eval() function in the runMethod() function. When user-controlled input is passed as the method name, an attacker can inject and execute arbitrary JavaScript code in the victim's browser."}, {'type': 'paragraph', 'content': 'Additionally, Element.run_method() and Element.get_computed_prop() used unsafe string interpolation instead of safe JSON serialization (json.dumps()), allowing quote injection to break out of the intended string context and facilitate code injection.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by removing all eval() calls from runMethod(), enforcing safe JSON serialization of method names and arguments, adding error handling for unknown methods, and providing tests to prevent JavaScript injection.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an attacker to inject and execute arbitrary JavaScript code in the victim's browser when user-controlled input is passed as a method name to affected NiceGUI APIs."}, {'type': 'list_item', 'content': 'An attacker can steal cookies or tokens, potentially hijacking user sessions.'}, {'type': 'list_item', 'content': 'The attacker can manipulate the Document Object Model (DOM) to perform phishing attacks or display fake login forms.'}, {'type': 'list_item', 'content': 'Unauthorized actions can be performed on behalf of the victim user.'}, {'type': 'paragraph', 'content': 'The attack vector typically involves crafting a malicious URL with a payload as a query parameter that is passed to the vulnerable API and executed via eval() on the client side.'}] [2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your NiceGUI installation is using a vulnerable version (prior to 3.8.0) where unsafe eval() calls exist in the JavaScript runMethod() function and unsafe string interpolation is used in Python APIs like Element.run_method().'}, {'type': 'paragraph', 'content': 'One practical detection method is to monitor for suspicious WebSocket traffic or HTTP requests containing method names or parameters that include JavaScript code snippets or payloads, such as alert(document.cookie) or other injected scripts.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves user-controlled input passed as method names, you can search your application logs or network captures for requests with query parameters or WebSocket messages that include suspicious method names.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but examples include:'}, {'type': 'list_item', 'content': "Using grep to find suspicious payloads in logs: grep -iE 'alert\\(|console\\.error\\(|document\\.cookie' /path/to/logs/*"}, {'type': 'list_item', 'content': 'Using network capture tools like tcpdump or Wireshark to filter WebSocket traffic and inspect for injected JavaScript code.'}, {'type': 'list_item', 'content': 'Checking the NiceGUI version installed: python -c "import nicegui; print(nicegui.__version__)" and verifying it is 3.8.0 or later.'}] [2, 1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to upgrade NiceGUI to version 3.8.0 or later, where the vulnerability has been fixed by removing unsafe eval() usage and enforcing safe JSON serialization of method names and arguments.

If upgrading is not immediately possible, avoid passing user-controlled input directly as method names to the affected APIs such as Element.run_method(), AgGrid.run_grid_method(), and others.

Additionally, review your application code to ensure that any JavaScript code execution is done explicitly via safe methods like ui.run_javascript(), rather than through run_method() or similar APIs.

Implement input validation and sanitization on any user input that could be passed to these APIs to prevent injection of arbitrary JavaScript.

Monitor logs for suspicious activity and consider applying Web Application Firewall (WAF) rules to detect and block attempts to exploit this vulnerability.

Useful 0 Not Useful 0