CVE-2026-21872 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in NiceGUI Python UI framework versions 2.22.0 through 3.4.1. Attackers can inject malicious scripts via crafted links that execute when users click them, potentially stealing session cookies or performing actions as the victim. All applications using vulnerable NiceGUI versions are affected.

💻 Affected Systems

Products:

NiceGUI

Versions: 2.22.0 to 3.4.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user interaction (clicking malicious link) and attacker-controlled link rendering on page.

📦 What is this software?

Nicegui by Zauberzeug

View all CVEs affecting Nicegui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal user session cookies, hijack accounts, perform actions as authenticated users, or deploy malware to client systems.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions within the application context.

🟢

If Mitigated

Limited to same-origin data exposure if proper content security policies are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS exploitation is well-understood; requires user interaction but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.0

Vendor Advisory: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9

Restart Required: Yes

Instructions:

1. Update NiceGUI to version 3.5.0 or later using pip: pip install nicegui>=3.5.0
2. Restart all NiceGUI applications
3. Verify the update with pip show nicegui

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add strict CSP headers to prevent script execution from untrusted sources

Sanitize User Input

all

Implement input validation and output encoding for all user-controlled data in NiceGUI applications

🧯 If You Can't Patch

Implement strict Content Security Policy with script-src 'self'
Disable or restrict ui.sub_pages functionality if not essential

🔍 How to Verify

Check if Vulnerable:

Check NiceGUI version: pip show nicegui | grep Version

Check Version:

pip show nicegui | grep Version

Verify Fix Applied:

Confirm version is 3.5.0 or higher: pip show nicegui | grep Version

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution patterns
Suspicious click events on crafted links

Network Indicators:

External script loading from unexpected sources in application traffic

SIEM Query:

web.logs | where user_agent contains 'NiceGUI' and url contains suspicious patterns

📊 Metadata

CVE ID: CVE-2026-21872

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.4th percentile)

Published: January 8, 2026

Last Updated: January 15, 2026

🔗 References

https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 Release Notes
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21872, you might also want to check these: