Lucene search
K

235 matches found

RedhatCVE
RedhatCVE
added 2026/01/10 5:40 a.m.3 views

CVE-2026-21874

NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation wh...

5.3CVSS6.8AI score0.0051EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/10 5:40 a.m.4 views

CVE-2026-21872

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.subpages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in versi...

6.1CVSS6.2AI score0.00238EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/10 5:40 a.m.5 views

CVE-2026-21873

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.subpages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been...

7.2CVSS7AI score0.00233EPSS
Exploits1References1
vulnersOsv
vulnersOsv
added 2026/01/08 8:27 p.m.12 views

acherion (>=0.2.0 <=0.9.2), aesp (=2025.9.12) +244 more potentially affected by CVE-2026-21874 via nicegui (>=2.11.0 <=3.3.1)

nicegui PYPI version =2.11.0, =0.2.0, =1.0.0, =0.0.1, =0.1.0, =0.2.0, =0.3.0, =0.3.0, =0.0.0, =0.4.14, =1.0.0, =1.1.3 - autestoy =0.1.0 - auth-web-kit =1.2.2 and more Source cves: CVE-2026-21874 Source advisory: OSV:GHSA-MP55-G7PJ-RVM2...

5.3CVSS5.7AI score0.0051EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2026/01/08 8:27 p.m.8 views

NiceGUI has Redis connection leak via tab storage causes service degradation

Summary An unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting...

5.3CVSS7AI score0.0051EPSS
Exploits1References5Affected Software1
vulnersOsv
vulnersOsv
added 2026/01/08 8:27 p.m.5 views

acherion (>=0.2.0 <=0.9.2), aesp (=2025.9.12) +244 more potentially affected by CVE-2026-21874 via nicegui (>=2.11.0 <=3.3.1)

nicegui PYPI version =2.11.0, =0.2.0, =1.0.0, =0.0.1, =0.1.0, =0.2.0, =0.3.0, =0.3.0, =0.0.0, =0.4.14, =1.0.0, =1.1.3 - autestoy =0.1.0 - auth-web-kit =1.2.2 and more Source cves: CVE-2026-21874 Source advisory: SNYK:PYTHON-NICEGUI-14912449...

5.3CVSS5.7AI score0.0051EPSS
Exploits1
Snyk
Snyk
added 2026/01/08 8:27 p.m.5 views

Missing Release of Resource after Effective Lifetime

Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime in the handledisconnect function, when using the Redis backend for tab storage. An attacker can cause service...

6.9CVSS6.7AI score0.0051EPSS
Exploits1References2
OSV
OSV
added 2026/01/08 8:27 p.m.5 views

GHSA-MP55-G7PJ-RVM2 NiceGUI has Redis connection leak via tab storage causes service degradation

Summary An unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting...

5.3CVSS6.9AI score0.0051EPSS
Exploits1References5
vulnersOsv
vulnersOsv
added 2026/01/08 8:16 p.m.3 views

acherion (>=0.2.0 <=0.9.2), aesp (=2025.9.12) +243 more potentially affected by CVE-2026-21873 via nicegui (>=2.22.2 <=3.3.1)

nicegui PYPI version =2.22.2, =0.2.0, =1.0.0, =0.0.1, =0.1.0, =0.2.0, =0.3.0, =0.3.0, =0.0.0, =0.4.14, =1.0.0, =1.1.3 - autestoy =0.1.0 - auth-web-kit =1.2.2 and more Source cves: CVE-2026-21873 Source advisory: SNYK:PYTHON-NICEGUI-14912444...

7.2CVSS5.7AI score0.00233EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2026/01/08 8:16 p.m.10 views

NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS

Summary An unsafe implementation in the pushstate event listener used by ui.subpages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. Details The problem is traced as follows: 1. On pushstate, handleStateEvent is...

7.2CVSS6.5AI score0.00233EPSS
Exploits1References4Affected Software1
vulnersOsv
vulnersOsv
added 2026/01/08 8:16 p.m.6 views

acherion (>=0.2.0 <=0.9.2), aesp (=2025.9.12) +243 more potentially affected by CVE-2026-21873 via nicegui (>=2.22.2 <=3.3.1)

nicegui PYPI version =2.22.2, =0.2.0, =1.0.0, =0.0.1, =0.1.0, =0.2.0, =0.3.0, =0.3.0, =0.0.0, =0.4.14, =1.0.0, =1.1.3 - autestoy =0.1.0 - auth-web-kit =1.2.2 and more Source cves: CVE-2026-21873 Source advisory: OSV:GHSA-MHPG-C27V-6MXR...

7.2CVSS5.7AI score0.00233EPSS
Exploits1
OSV
OSV
added 2026/01/08 8:16 p.m.5 views

GHSA-MHPG-C27V-6MXR NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS

Summary An unsafe implementation in the pushstate event listener used by ui.subpages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. Details The problem is traced as follows: 1. On pushstate, handleStateEvent is...

7.2CVSS6.4AI score0.00233EPSS
Exploits1References4
OSV
OSV
added 2026/01/08 8:8 p.m.5 views

GHSA-M7J5-RQ9J-6JJ9 NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links

Summary An unsafe implementation in the click event listener used by ui.subpages, combined with attacker-controlled link rendering on the page, causes an XSS when the user actively clicks on the link. Details 1. On click, eventually subpagesnavigate event is emitted...

6.1CVSS6.2AI score0.00238EPSS
Exploits1References4
vulnersOsv
vulnersOsv
added 2026/01/08 8:8 p.m.3 views

acherion (>=0.2.0 <=0.9.2), aesp (=2025.9.12) +243 more potentially affected by CVE-2026-21872 via nicegui (>=2.22.2 <=3.3.1)

nicegui PYPI version =2.22.2, =0.2.0, =1.0.0, =0.0.1, =0.1.0, =0.2.0, =0.3.0, =0.3.0, =0.0.0, =0.4.14, =1.0.0, =1.1.3 - autestoy =0.1.0 - auth-web-kit =1.2.2 and more Source cves: CVE-2026-21872 Source advisory: SNYK:PYTHON-NICEGUI-14912452...

6.1CVSS5.7AI score0.00238EPSS
Exploits1
Snyk
Snyk
added 2026/01/08 8:8 p.m.3 views

Cross-site Scripting (XSS)

Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ui.subpages function. An attacker can execute JavaScript in the context of the user's browser by tricking a user into clicking a...

6.1CVSS5.3AI score0.00238EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/01/08 8:8 p.m.14 views

NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links

Summary An unsafe implementation in the click event listener used by ui.subpages, combined with attacker-controlled link rendering on the page, causes an XSS when the user actively clicks on the link. Details 1. On click, eventually subpagesnavigate event is emitted...

6.1CVSS6.3AI score0.00238EPSS
Exploits1References4Affected Software1
vulnersOsv
vulnersOsv
added 2026/01/08 8:8 p.m.5 views

acherion (>=0.2.0 <=0.9.2), aesp (=2025.9.12) +243 more potentially affected by CVE-2026-21872 via nicegui (>=2.22.2 <=3.3.1)

nicegui PYPI version =2.22.2, =0.2.0, =1.0.0, =0.0.1, =0.1.0, =0.2.0, =0.3.0, =0.3.0, =0.0.0, =0.4.14, =1.0.0, =1.1.3 - autestoy =0.1.0 - auth-web-kit =1.2.2 and more Source cves: CVE-2026-21872 Source advisory: OSV:GHSA-M7J5-RQ9J-6JJ9...

6.1CVSS5.7AI score0.00238EPSS
Exploits1
OSV
OSV
added 2026/01/08 8:0 p.m.7 views

GHSA-7GRM-H62G-5M97 NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace()

Summary XSS risk exists in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push or ui.navigate.history.replace. These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into...

6.1CVSS6.6AI score0.00243EPSS
Exploits1References4
vulnersOsv
vulnersOsv
added 2026/01/08 8:0 p.m.6 views

acherion (>=0.2.0 <=0.9.2), aesp (=2025.9.12) +243 more potentially affected by CVE-2026-21871 via nicegui (>=2.16.1 <=3.3.1)

nicegui PYPI version =2.16.1, =0.2.0, =1.0.0, =0.0.1, =0.1.0, =0.2.0, =0.3.0, =0.3.0, =0.0.0, =0.4.14, =1.0.0, =1.1.3 - autestoy =0.1.0 - auth-web-kit =1.2.2 and more Source cves: CVE-2026-21871 Source advisory: SNYK:PYTHON-NICEGUI-14912442...

6.1CVSS5.7AI score0.00243EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/01/08 8:0 p.m.3 views

acherion (>=0.2.0 <=0.9.2), aesp (=2025.9.12) +243 more potentially affected by CVE-2026-21871 via nicegui (>=2.16.1 <=3.3.1)

nicegui PYPI version =2.16.1, =0.2.0, =1.0.0, =0.0.1, =0.1.0, =0.2.0, =0.3.0, =0.3.0, =0.0.0, =0.4.14, =1.0.0, =1.1.3 - autestoy =0.1.0 - auth-web-kit =1.2.2 and more Source cves: CVE-2026-21871 Source advisory: OSV:GHSA-7GRM-H62G-5M97...

6.1CVSS5.7AI score0.00243EPSS
Exploits1
Rows per page
Query Builder