Home > Vulnerability Database > CVE-2026-21871

Mend.io Vulnerability Database

CVE-2026-21871

Good to know:

Date: January 8, 2026

NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0.

Severity Score

6.1

Related Resources (5)

Url: https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0

Url: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-7grm-h62g-5m97

Url: https://github.com/zauberzeug/nicegui

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-21871

Url: https://www.mend.io/vulnerability-database/CVE-2026-21871

Severity Score

6.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version nicegui - 3.5.0;https://github.com/zauberzeug/nicegui.git - v3.5.0

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-21871

Good to know:

Date: January 8, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?