Lucene search
K

235 matches found

Snyk
Snyk
added 2026/01/08 8:0 p.m.2 views

Cross-site Scripting (XSS)

Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ui.navigate.history.push or ui.navigate.history.replace functions. An attacker can execute arbitrary JavaScript in the victim's...

6.1CVSS5.4AI score0.00243EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/01/08 8:0 p.m.13 views

NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace()

Summary XSS risk exists in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push or ui.navigate.history.replace. These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into...

6.1CVSS6.6AI score0.00243EPSS
Exploits1References4Affected Software1
NVD
NVD
added 2026/01/08 10:15 a.m.14 views

CVE-2026-21871

NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push or ui.navigate.history.replace. These helpers are documented as History API wrappers for updating the browser URL...

6.1CVSS0.00243EPSS
Exploits1References2
NVD
NVD
added 2026/01/08 10:15 a.m.62 views

CVE-2026-21873

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.subpages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been...

7.2CVSS0.00233EPSS
Exploits1References2
NVD
NVD
added 2026/01/08 10:15 a.m.7 views

CVE-2026-21872

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.subpages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in versi...

6.1CVSS0.00238EPSS
Exploits1References2
NVD
NVD
added 2026/01/08 10:15 a.m.6 views

CVE-2026-21874

NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation wh...

5.3CVSS0.0051EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/01/08 9:50 a.m.2 views

CVE-2026-21874 NiceGUI has Redis connection leak via tab storage causes service degradation

NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation wh...

5.3CVSS6.4AI score0.0051EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/01/08 9:50 a.m.34 views

CVE-2026-21874 NiceGUI has Redis connection leak via tab storage causes service degradation

NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation wh...

5.3CVSS0.0051EPSS
Exploits1References3
CVE
CVE
added 2026/01/08 9:50 a.m.17 views

CVE-2026-21874

CVE-2026-21874 affects NiceGUI versions 2.10.0 through 3.4.1 where an unauthenticated attacker can exhaust Redis connections by repeatedly opening/closing browser tabs using Redis-backed storage. This tab-storage leak prevents Redis connections from being released, causing Redis to reach its max ...

5.3CVSS6.4AI score0.0051EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/01/08 9:50 a.m.6 views

CVE-2026-21874 NiceGUI has Redis connection leak via tab storage causes service degradation

NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation wh...

5.3CVSS6.5AI score0.0051EPSS
Exploits1References5
EUVD
EUVD
added 2026/01/08 9:50 a.m.8 views

EUVD-2026-1474

NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation wh...

5.3CVSS6.3AI score0.0051EPSS
Exploits1References5
EUVD
EUVD
added 2026/01/08 9:50 a.m.4 views

EUVD-2026-1475

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.subpages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been...

7.2CVSS6.4AI score0.00233EPSS
Exploits1References4
CVE
CVE
added 2026/01/08 9:50 a.m.23 views

CVE-2026-21873

NiceGUI (Python UI framework) has a cross-site scripting risk in versions 2.22.0–3.4.1 due to an unsafe pushstate listener in ui.sub_pages that lets an attacker manipulate the URL fragment via an iframe. The issue is exploitable without user interaction and affects pages embeddable in iframes. A ...

7.2CVSS6.6AI score0.00233EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/08 9:50 a.m.2 views

CVE-2026-21873 Zero-click XSS in all NiceGUI apps which uses `ui.sub_pages`

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.subpages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been...

7.2CVSS6.6AI score0.00233EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/01/08 9:50 a.m.29 views

CVE-2026-21873 Zero-click XSS in all NiceGUI apps which uses `ui.sub_pages`

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.subpages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been...

7.2CVSS0.00233EPSS
Exploits1References2
OSV
OSV
added 2026/01/08 9:50 a.m.4 views

CVE-2026-21873 Zero-click XSS in all NiceGUI apps which uses `ui.sub_pages`

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.subpages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been...

7.2CVSS6.7AI score0.00233EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/01/08 9:50 a.m.3 views

CVE-2026-21872 NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.subpages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in versi...

6.1CVSS5.8AI score0.00238EPSS
Exploits1References2
EUVD
EUVD
added 2026/01/08 9:50 a.m.5 views

EUVD-2026-1477

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.subpages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in versi...

6.1CVSS5.7AI score0.00238EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/01/08 9:50 a.m.28 views

CVE-2026-21872 NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.subpages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in versi...

6.1CVSS0.00238EPSS
Exploits1References2
CVE
CVE
added 2026/01/08 9:50 a.m.19 views

CVE-2026-21872

NiceGUI (Python UI framework) versions 2.22.0–3.4.1 are affected by an XSS vulnerability caused by an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page. The issue triggers when a user actively clicks a crafted link...

6.1CVSS5.8AI score0.00238EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder