CVE-2025-66470 NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactiveimage component of NiceGUI. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or...

CVE-2025-66470 NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactiveimage component of NiceGUI. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or...

CVE-2025-66470

CVE-2025-66470 affects NiceGUI <= 3.3.1 via the ui.interactive_image component, which renders SVG content with Vue v-html without sanitization. This can lead to stored/reflected XSS through the SVG tag when images are rendered or updated. The issue is fixed in NiceGUI 3.4.0; remediation is to...

CVE-2025-66470 NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactiveimage component of NiceGUI. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or...

NiceGUI 安全漏洞

NiceGUI is an easy-to-use, Python-based UI framework open-sourced by NiceGUI. A security vulnerability exists in NiceGUI 3.3.1 and earlier versions, which stems from the ui.activeimage component not cleaning up SVG content, and could lead to cross-site scripting attacks...

NiceGUI 跨站脚本漏洞

NiceGUI is an easy-to-use, Python-based UI framework open-sourced by NiceGUI. A cross-site scripting vulnerability exists in NiceGUI 3.3.1 and earlier versions, which stems from insufficient cleanup and escaping of the ui.addcss, ui.addscss, and ui.addsass functions, and could lead to a reflectiv...

NiceGUI 路径遍历漏洞

NiceGUI is an easy-to-use, Python-based UI framework open-sourced by NiceGUI. A path traversal vulnerability exists in NiceGUI 3.3.1 and earlier versions, which stems from a flaw in the App.addmediafiles function that could lead to a directory traversal attack...

PT-2025-50275

Name of the Vulnerable Software and Affected Versions NiceGUI versions 3.3.1 and below Description NiceGUI, a Python-based UI framework, contains a flaw that allows a remote attacker to read arbitrary files on the server filesystem. This is due to a directory traversal issue present in the App.ad...

PT-2025-49682

Name of the Vulnerable Software and Affected Versions NiceGUI versions 3.3.1 and below Description NiceGUI, a Python-based UI framework, has an issue where the ui.interactive image component can be exploited for cross-site scripting XSS. The component renders Scalable Vector Graphics SVG content...

CVE-2025-66469 NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.addcss, ui.addscss, and ui.addsass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended or...

CVE-2025-66469 NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.addcss, ui.addscss, and ui.addsass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended or...

EUVD-2025-201814

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.addcss, ui.addscss, and ui.addsass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended or...

CVE-2025-66469 NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.addcss, ui.addscss, and ui.addsass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended or...

CVE-2025-66469

CVE-2025-66469 is a reported Reflected XSS in NiceGUI (Python UI framework). The vulnerability affects versions 3.3.1 and earlier and stems from insufficient sanitization/escaping in the functions ui.add_css, ui.add_scss, and ui.add_sass, which generate JavaScript contexts that can be broken out ...

NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content

Summary A Cross-Site Scripting XSS vulnerability exists in the ui.interactiveimage component of NiceGUI v3.3.1 and earlier. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG tag. Detail...

GHSA-2M4F-CG75-76W2 NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content

Summary A Cross-Site Scripting XSS vulnerability exists in the ui.interactiveimage component of NiceGUI v3.3.1 and earlier. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG tag. Detail...

acherion (>=0.2.0 <=0.5.3), aesp (=2025.9.12) +186 more potentially affected by CVE-2025-66470 via nicegui (>=3.0.4 <=3.3.1)

nicegui PYPI version =3.0.4, =0.2.0, =1.0.0, =0.4.0, =0.1.0, =0.2.200, =0.3.0, =0.0.0, =0.4.14, =1.0.0, =0.4.4, =0.4.9 - boaboard =0.1.0 and more Source cves: CVE-2025-66470 Source advisory: SNYK:PYTHON-NICEGUI-14222431...

Cross-site Scripting (XSS)

Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ui.interactiveimage component when rendering SVG content using the v-html directive without sanitization. An attacker can execute...

GHSA-72QC-WXCH-74MG NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection

Summary A Cross-Site Scripting XSS vulnerability exists in ui.addcss, ui.addscss, and ui.addsass functions in NiceGUI v3.3.1 and earlier. These functions allow developers to inject styles dynamically. However, they lack proper sanitization or encoding for the JavaScript context they generate. An...

Cross-site Scripting (XSS)

Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ui.addcss, ui.addscss, and ui.addsass functions. An attacker can execute arbitrary JavaScript in the context of the user's browser...