CVE-2026-21873

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0	Release Notes
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxr	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:19

Type	Values Removed	Values Added
Summary		(es) NiceGUI es un framework de UI basado en Python. Desde las versiones 2.22.0 hasta la 3.4.1, una implementación insegura en el oyente de eventos pushstate utilizado por ui.sub_pages permite a un atacante manipular el identificador de fragmento de la URL, lo cual pueden hacer a pesar de ser de sitio cruzado, usando un iframe. Este problema ha sido parcheado en la versión 3.5.0.

15 Jan 2026, 17:45

Type	Values Removed	Values Added
First Time		Zauberzeug Zauberzeug nicegui
References	~~() https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 -~~	() https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 - Release Notes
References	~~() https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxr -~~	() https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxr - Exploit, Vendor Advisory
CPE		cpe:2.3:a:zauberzeug:nicegui::::::::

08 Jan 2026, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-08 10:15

Updated : 2026-06-17 10:19

NVD link : CVE-2026-21873

Mitre link : CVE-2026-21873

CVE.ORG link : CVE-2026-21873

JSON object : View

Products Affected

zauberzeug

nicegui

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-21873", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-21873", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T15:11:07.042037Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "zauberzeug", "product": "nicegui", "versions": [{"status": "affected", "version": ">= 2.22.0, < 3.5.0"}]}]}], "published": "2026-01-08T10:15:55.617", "references": [{"url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxr", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0."}, {"lang": "es", "value": "NiceGUI es un framework de UI basado en Python. Desde las versiones 2.22.0 hasta la 3.4.1, una implementaci\u00f3n insegura en el oyente de eventos pushstate utilizado por ui.sub_pages permite a un atacante manipular el identificador de fragmento de la URL, lo cual pueden hacer a pesar de ser de sitio cruzado, usando un iframe. Este problema ha sido parcheado en la versi\u00f3n 3.5.0."}], "lastModified": "2026-06-17T10:19:04.083", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37903F79-6269-4F0A-939A-36F3E3CC41B3", "versionEndExcluding": "3.5.0", "versionStartIncluding": "2.22.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}