Home > Vulnerability Database > CVE-2025-66469

Mend.io Vulnerability Database

CVE-2025-66469

Good to know:

Date: December 8, 2025

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0.

Severity Score

6.1

Related Resources (5)

Url: https://github.com/zauberzeug/nicegui

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66469

Url: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg

Url: https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8

Url: https://www.mend.io/vulnerability-database/CVE-2025-66469

Severity Score

6.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version nicegui - 3.4.0;nicegui - 3.4.0;https://github.com/zauberzeug/nicegui.git - v3.4.0

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66469

Good to know:

Date: December 8, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?