Home > Vulnerability Database > CVE-2026-21872

Mend.io Vulnerability Database

CVE-2026-21872

Good to know:

Date: January 8, 2026

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.

Severity Score

6.1

Related Resources (5)

Url: https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0

Url: https://github.com/zauberzeug/nicegui

Url: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-21872

Url: https://www.mend.io/vulnerability-database/CVE-2026-21872

Severity Score

6.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version nicegui - 3.5.0

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-21872

Good to know:

Date: January 8, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?