anonhaven
Ad

CVE-2026-21872

MEDIUM CVSS 3.1: 6.1 EPSS 0.02%
Updated Jan 15, 2026
Zauberzeug
Parameter Value
CVSS 6.1 (MEDIUM)
Affected Versions 2.22.0 — 3.5.0
Fixed In 3.5.0
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Zauberzeug
Public PoC No

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Zauberzeug Nicegui
cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*
 2.22.0 3.5.0

References 2

https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
security-advisories@github.com
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33332

Zauberzeug

6.9

CVE-2026-21874

Zauberzeug

5.3

CVE-2026-21873

Zauberzeug

6.1

CVE-2026-21871

Zauberzeug

6.1