Vulnerability Database

319,703

Total vulnerabilities in the database

CVE-2026-21872

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.

Published: Jan 8, 2026
Updated: Jan 16, 2026
CVE: CVE-2026-21872
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
zauberzeug / nicegui	2.22.0	3.5.0

https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo