anonhaven
Ad

CVE-2026-21873

MEDIUM CVSS 3.1: 6.1 EPSS 0.02%
Updated Jan 15, 2026
Zauberzeug
Parameter Value
CVSS 6.1 (MEDIUM)
Affected Versions 2.22.0 — 3.5.0
Fixed In 3.5.0
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Zauberzeug
Public PoC No

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Zauberzeug Nicegui
cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*
 2.22.0 3.5.0

References 2

https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
security-advisories@github.com
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxr
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33332

Zauberzeug

6.9

CVE-2026-21874

Zauberzeug

5.3

CVE-2026-21872

Zauberzeug

6.1

CVE-2026-21871

Zauberzeug

6.1