CVE-2026-21872 MEDIUM

CVE-2026-21872: NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links

Vendor Zauberzeug
Product nicegui
Weakness CWE-79 · XSS
Published January 8, 2026
Last update January 8, 2026

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.

Key dates

02Disclosure timeline

January 8, 2026 CVE published
January 8, 2026 Record updated

Related vulnerabilities

04Related CVE