CVE-2026-21871 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in NiceGUI Python UI framework that allows attackers to execute arbitrary JavaScript in victims' browsers when untrusted input is passed to specific navigation functions. Only applications using affected versions (2.13.0 to 3.4.1) that pass user-controlled data to ui.navigate.history.push() or replace() are vulnerable.

💻 Affected Systems

Products:

NiceGUI

Versions: 2.13.0 to 3.4.1

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace() functions.

📦 What is this software?

Nicegui by Zauberzeug

View all CVEs affecting Nicegui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can execute arbitrary JavaScript in victim browsers, potentially stealing session cookies, performing actions as the user, or redirecting to malicious sites.

🟠

Likely Case

Limited XSS attacks against users who interact with applications that pass untrusted input to the vulnerable functions, potentially leading to session hijacking or data theft.

🟢

If Mitigated

No impact if applications don't pass untrusted input to the vulnerable functions or if proper input validation/sanitization is implemented.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the application to pass untrusted user input to the vulnerable functions. The vulnerability is in the framework's JavaScript generation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.0

Vendor Advisory: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-7grm-h62g-5m97

Restart Required: Yes

Instructions:

1. Update NiceGUI to version 3.5.0 or later using pip: pip install --upgrade nicegui>=3.5.0
2. Restart your application
3. Verify the update with: pip show nicegui

🔧 Temporary Workarounds

Input Validation/Sanitization

all

Implement strict input validation and sanitization for any data passed to ui.navigate.history.push() or replace() functions.

Avoid Untrusted Input

all

Ensure ui.navigate.history.push() and replace() only receive trusted, hardcoded, or properly sanitized values.

🧯 If You Can't Patch

Implement strict input validation to ensure only trusted data reaches the vulnerable functions
Use Content Security Policy (CSP) headers to mitigate potential XSS impact

🔍 How to Verify

Check if Vulnerable:

Check if your NiceGUI version is between 2.13.0 and 3.4.1 and if your code passes any user-controlled input to ui.navigate.history.push() or replace() functions.

Check Version:

pip show nicegui | grep Version

Verify Fix Applied:

Verify NiceGUI version is 3.5.0 or higher and test that user input passed to navigation functions no longer executes JavaScript.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution in browser console logs
Unexpected URL parameter values containing script tags or JavaScript

Network Indicators:

Suspicious URL parameters containing JavaScript payloads in HTTP requests

SIEM Query:

Search for web application logs containing suspicious patterns like <script>, javascript:, or eval() in URL parameters

📊 Metadata

CVE ID: CVE-2026-21871

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.4th percentile)

Published: January 8, 2026

Last Updated: January 15, 2026

🔗 References

https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 Release Notes
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-7grm-h62g-5m97 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21871, you might also want to check these: