CVE-2026-27156
📋 TL;DR
This vulnerability in NiceGUI allows cross-site scripting (XSS) attacks when user-controlled input is passed to certain client-side method execution APIs. Attackers can inject arbitrary JavaScript that executes in victims' browsers, potentially stealing session cookies or performing actions on behalf of users. Applications using NiceGUI versions before 3.8.0 with user input passed to run_method() or similar functions are affected.
💻 Affected Systems
- NiceGUI
📦 What is this software?
Nicegui by Zauberzeug
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover via session cookie theft, data exfiltration, or malicious actions performed on behalf of authenticated users.
Likely Case
Session hijacking, credential theft, or defacement of web application content.
If Mitigated
Limited impact if input validation prevents malicious payloads from reaching vulnerable functions.
🎯 Exploit Status
Exploitation requires user input to reach vulnerable functions. The advisory includes example payloads demonstrating the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.8.0
Vendor Advisory: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq
Restart Required: Yes
Instructions:
1. Update NiceGUI to version 3.8.0 or later using pip: pip install --upgrade nicegui>=3.8.0
2. Restart your application
3. Verify the update was successful
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for all user inputs passed to Element.run_method(), Element.get_computed_prop(), AgGrid.run_grid_method(), or EChart.run_chart_method() functions.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Use web application firewall (WAF) rules to detect and block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check if your application uses NiceGUI version <3.8.0 and passes user input to run_method() or similar functions.Check Version:
python -c "import nicegui; print(nicegui.__version__)"Verify Fix Applied:
Verify NiceGUI version is 3.8.0 or higher and test that user input cannot execute arbitrary JavaScript through vulnerable APIs.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution patterns in browser console logs
- Suspicious method names containing script tags or JavaScript code
Network Indicators:
- Unexpected POST requests to run_method endpoints with suspicious payloads
SIEM Query:
web_requests WHERE url_path CONTAINS 'run_method' AND (request_body CONTAINS '<script>' OR request_body CONTAINS 'javascript:' OR request_body CONTAINS 'eval(')