Vulnerability Details CVE-2026-21872
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.7%
CVSS Severity
CVSS v3 Score 6.1
References
Products affected by CVE-2026-21872
-
cpe:2.3:a:zauberzeug:nicegui:2.22.0
-
cpe:2.3:a:zauberzeug:nicegui:2.22.1
-
cpe:2.3:a:zauberzeug:nicegui:2.22.2
-
cpe:2.3:a:zauberzeug:nicegui:2.23.0
-
cpe:2.3:a:zauberzeug:nicegui:2.23.1
-
cpe:2.3:a:zauberzeug:nicegui:2.23.2
-
cpe:2.3:a:zauberzeug:nicegui:2.23.3
-
cpe:2.3:a:zauberzeug:nicegui:2.24.0
-
cpe:2.3:a:zauberzeug:nicegui:2.24.1
-
cpe:2.3:a:zauberzeug:nicegui:2.24.2
-
cpe:2.3:a:zauberzeug:nicegui:3.0.0
-
cpe:2.3:a:zauberzeug:nicegui:3.0.1
-
cpe:2.3:a:zauberzeug:nicegui:3.0.2
-
cpe:2.3:a:zauberzeug:nicegui:3.0.3
-
cpe:2.3:a:zauberzeug:nicegui:3.0.4
-
cpe:2.3:a:zauberzeug:nicegui:3.1.0
-
cpe:2.3:a:zauberzeug:nicegui:3.2.0
-
cpe:2.3:a:zauberzeug:nicegui:3.3.0
-
cpe:2.3:a:zauberzeug:nicegui:3.3.1
-
cpe:2.3:a:zauberzeug:nicegui:3.4.0