CVE-2026-21871 MEDIUM

CVE-2026-21871: NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace()

Vendor Zauberzeug
Product nicegui
Weakness CWE-79 · XSS
Published January 8, 2026
Last update January 8, 2026
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0.

Key dates

02Disclosure timeline

January 8, 2026 CVE published
January 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-5233 Font Awesome Integration <= 5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2025-3999 Seeyon Zhiyuan OA Web Application System URL Parameter date.jsp cross site scripting CVE-2025-67922 WordPress Grand Restaurant theme < 7.0.9 - Cross Site Scripting (XSS) vulnerability CVE-2025-31899 WordPress Awesome Logos plugin <= 1.2 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2026-42612 Grav: Publisher-Level Stored XSS via Unquoted Event Attributes