Moderate severityOSV Advisory· Published Jan 8, 2026· Updated Jan 8, 2026
NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links
CVE-2026-21872
Description
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
niceguiPyPI | >= 2.22.0, < 3.5.0 | 3.5.0 |
Affected products
2- Range: v2.22.0, v2.22.1, v2.23.0, …
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-m7j5-rq9j-6jj9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21872ghsaADVISORY
- github.com/zauberzeug/nicegui/releases/tag/v3.5.0ghsax_refsource_MISCWEB
- github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.