Home > Vulnerability Database > CVE-2026-21874

Mend.io Vulnerability Database

CVE-2026-21874

Good to know:

Date: January 8, 2026

NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.

Severity Score

5.3

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-21874

Url: https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0

Url: https://github.com/zauberzeug/nicegui

Url: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2

Url: https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83

Url: https://www.mend.io/vulnerability-database/CVE-2026-21874

Severity Score

5.3

Weakness Type (CWE)

Missing Release of Resource after Effective Lifetime

CWE-772

Top Fix

Upgrade Version

Upgrade to version nicegui - 3.5.0;https://github.com/zauberzeug/nicegui.git - v3.5.0

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2026-21874

Good to know:

Date: January 8, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?