CVE-2026-21873 Zero-click XSS in all NiceGUI apps which uses `ui.sub_pages`

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.subpages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been...

CVE-2026-21873 Zero-click XSS in all NiceGUI apps which uses `ui.sub_pages`

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.subpages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been...

CVE-2026-21873

NiceGUI (Python UI framework) has a cross-site scripting risk in versions 2.22.0–3.4.1 due to an unsafe pushstate listener in ui.sub_pages that lets an attacker manipulate the URL fragment via an iframe. The issue is exploitable without user interaction and affects pages embeddable in iframes. A ...

PT-2026-2112

Name of the Vulnerable Software and Affected Versions NiceGUI versions 2.22.0 through 3.4.1 Description NiceGUI is a Python-based UI framework. An unsafe implementation in the pushstate event listener used by ui.sub pages allows an attacker to manipulate the fragment identifier of the URL, even...

CVE-1999-0877

Internet Explorer 5 allows remote attackers to read files via an ExecCommand method called on an IFRAME...

CVE-2019-16068

A CSRF vulnerability exists in NETSAS ENIGMA NMS version 65.0.0 and prior that could allow an attacker to be able to trick a victim into submitting a malicious managefiles.cgi request. This can be triggered via XSS or an IFRAME tag included within the site...

CVE-2019-12136

There is XSS in BoostIO Boostnote 0.11.15 via a label named mermaid, as demonstrated by a crafted SRC attribute of an IFRAME element...

CVE-2019-12184

There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136...

CVE-2025-1439

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advancediframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and output escaping on user supplied attributes through the 'src' attribute when th...

CVE-2025-1440

The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aipmapurlcallback function in all versions up to, and including, 2024.5 due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the...

CVE-2025-65922

PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka applicati...

PT-2026-1317

Name of the Vulnerable Software and Affected Versions PLANKA version 2.0.0 Description The application does not implement X-Frame-Options and CSP frame-ancestors headers, which allows it to be embedded within malicious iframes. This can expose users to phishing attacks through UI Redressing,...

EUVD-2026-0827

PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka applicati...

PT-2026-20853

Name of the Vulnerable Software and Affected Versions SPIP versions prior to 4.4.8 Description The application does not properly handle iframe content in the private area, allowing an attacker to inject and execute malicious scripts through iframe tags. The issue occurs because the application do...

CVE-2025-69234

Whale browser before 4.35.351.12 allows an attacker to escape the iframe sandbox in a sidebar environment...

WordPress Advanced iFrame plugin <= 2024.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Host Header vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Host Header vulnerability discovered by omstaendlig in WordPress Plugin Advanced iFrame versions = 2024.5...

WordPress TableOn plugin <= 1.0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via tableon_popup_iframe_button Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via tableonpopupiframebutton Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin TableOn versions = 1.0.4.1...

CVE-2025-69234

Whale browser before 4.35.351.12 allows an attacker to escape the iframe sandbox in a sidebar environment...

CVE-2025-69234

Whale browser before 4.35.351.12 allows an attacker to escape the iframe sandbox in a sidebar environment...

CVE-2025-69234

Whale browser before 4.35.351.12 allows an attacker to escape the iframe sandbox in a sidebar environment...