PT-2025-49681

Name of the Vulnerable Software and Affected Versions NiceGUI versions 3.3.1 and below Description NiceGUI, a Python-based UI framework, has an issue where the ui.add css, ui.add scss, and ui.add sass functions do not properly sanitize or encode JavaScript contexts. This allows an attacker to...

Cross-Site Scripting (XSS)

nicegui is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the framework not sanitizing HTML or JavaScript when rendering unescaped user input through ui.html, which allows an attacker to execute arbitrary JavaScript in a user’s browser...

CVE-2025-53354

NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting XSS when developers render unescaped user input into the DOM using ui.html. NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.inpu...

CVE-2025-53354

NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting XSS when developers render unescaped user input into the DOM using ui.html. NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.inpu...

EUVD-2024-1257

Malicious code in bioql PyPI...

EUVD-2025-0044

Malicious code in bioql PyPI...

CVE-2025-53354 NiceGUI is vulnerable to Reflected XSS attack

NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting XSS when developers render unescaped user input into the DOM using ui.html. NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.inpu...

CVE-2025-53354 NiceGUI is vulnerable to Reflected XSS attack

NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting XSS when developers render unescaped user input into the DOM using ui.html. NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.inpu...

EUVD-2025-32318

NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting XSS when developers render unescaped user input into the DOM using ui.html. NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.inpu...

CVE-2025-53354 NiceGUI is vulnerable to Reflected XSS attack

NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting XSS when developers render unescaped user input into the DOM using ui.html. NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.inpu...

CVE-2025-53354

NiceGUI is affected by a Cross-Site Scripting (XSS) vulnerability when rendering unescaped user input into the DOM via ui.html() (and related HTML content in ui.chat_message). Versions 2.24.2 and below are vulnerable; the issue stems from not sanitizing HTML/JavaScript inputs. Applications that c...

ai-plays-jackbox (>=0.0.1 <=0.3.2), air-link (>=0.0.0 <=0.5.0) +70 more potentially affected by CVE-2025-53354 via nicegui (>=0.9.11 <=2.8.1)

nicegui PYPI version =0.9.11, =0.0.1, =0.0.0, =0.1.0, =1.1.3, =0.3.0, =0.0.1, =0.6.7, =1.0.0, =1.2.0, =0.10.0, =0.11.1 and more Source cves: CVE-2025-53354 Source advisory: OSV:GHSA-8C95-HPQ2-W46F...

GHSA-8C95-HPQ2-W46F NiceGUI has a Reflected XSS

Summary A Cross-Site Scripting XSS risk exists in NiceGUI when developers render unescaped user input into the DOM using ui.html. Before version 3.0, NiceGUI does not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.input with ui.html without...

NiceGUI has a Reflected XSS

Summary A Cross-Site Scripting XSS risk exists in NiceGUI when developers render unescaped user input into the DOM using ui.html. Before version 3.0, NiceGUI does not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.input with ui.html without...

Cross-site Scripting (XSS)

Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ui.html or ui.chatmessage functions when unescaped user input is rendered directly into the DOM. An attacker can execute arbitrary...

CVE-2025-53354

creationtimestamp| type| source ---|---|--- 2025-10-03 16:35:11+00:00| published-proof-of-concept| https://github.com/zauberzeug/nicegui/security/advisories/GHSA-8c95-hpq2-w46f...

NiceGUI 跨站脚本漏洞

NiceGUI is an easy-to-use, Python-based UI framework open-sourced by NiceGUI. A cross-site scripting vulnerability exists in NiceGUI 2.24.2 and earlier versions that stems from not enforcing HTML or JavaScript cleanup, which could lead to cross-site scripting attacks...

CVE-2025-21618

NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1...

CVE-2024-32005

NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the /nicegui/version/resources/key/path:path route. As a result any file on the backend filesystem which the web server has access to can be...

Session Fixation

NiceGUI is vulnerable to Session Fixation. The vulnerability is due to improper session handling, where authenticating with NiceGUI logged in the user across all browsers, including those in incognito mode...