High severityOSV Advisory· Published Jan 8, 2026· Updated Jan 8, 2026
Zero-click XSS in all NiceGUI apps which uses `ui.sub_pages`
CVE-2026-21873
Description
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
niceguiPyPI | >= 2.22.0, < 3.5.0 | 3.5.0 |
Affected products
1- Range: v2.22.0, v2.22.1, v2.23.0, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mhpg-c27v-6mxrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21873ghsaADVISORY
- github.com/zauberzeug/nicegui/releases/tag/v3.5.0ghsax_refsource_MISCWEB
- github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.