), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0.", "datePublished": "2025-12-08T23:54:37Z", "dateModified": "2025-12-09T16:03:54Z", "keywords": "CVE-2025-66469, vulnerability, CVE, security, nicegui, zauberzeug", "about": { "@type": "SoftwareApplication", "name": "nicegui", "applicationCategory": "SecurityApplication", "operatingSystem": "All" } }
CVE-2025-66469 MEDIUM

CVE-2025-66469: NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection

Vendor Zauberzeug
Product nicegui
Weakness CWE-79 · XSS
Published December 8, 2025
Last update December 9, 2025

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0.

Key dates

02Disclosure timeline

December 8, 2025 CVE published
December 9, 2025 Record updated