Primary

Context

NiceGUI Cross-Site Scripting Vulnerability in Subpages Component

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in NiceGUI, a Python-based UI framework, affecting versions 2.22.0 prior to 3.4.1. The issue arises from an unsafe implementation in the click event listener for 'ui.sub_pages', which allows for the rendering of attacker-controlled links. When a user clicks on such a link, the XSS payload is executed. This vulnerability has been patched in NiceGUI version 3.5.0.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a NiceGUI application that uses the 'ui.sub_pages' component. Render a link that includes a JavaScript payload, such as an alert. When the link is clicked, the injected script will execute, demonstrating the XSS vulnerability.

Remediation

Users can upgrade to NiceGUI version 3.5.0, where this vulnerability has been patched.

Added: Jan 8, 2026, 10:21 AM

Updated: Jan 8, 2026, 7:00 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

7.2

remediation

7.7

relevance

1.9

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

7.2

remediation

7.7

relevance

1.9

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NiceGUI Cross-Site Scripting Vulnerability in Subpages Component

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating