Skip to content

NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace()

Moderate severity GitHub Reviewed Published Jan 8, 2026 in zauberzeug/nicegui • Updated Jan 8, 2026

Package

pip nicegui (pip)

Affected versions

>= 2.13.0, <= 3.4.1

Patched versions

3.5.0

Description

Summary

XSS risk exists in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser.

Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected.

Details

NiceGUI provides ui.navigate.history.push(url) and ui.navigate.history.replace(url) to update the URL using the browser History API. If an application forwards user-controlled data (e.g., URL path segments, query parameters like next=..., form values, etc.) into these methods, an attacker can inject characters such as quotes and statement terminators to escape the JavaScript string context and execute arbitrary code.

A vulnerable pattern is:

  • attacker controls a value (e.g., via the request path),
  • the application passes it to ui.navigate.history.push(payload) (or replace).

This is similar in spirit to other NiceGUI XSS advisories:

  • ui.html(),ui.chat_message() can cause XSS when developers render untrusted input as HTML (XSS risk/footgun).
  • ui.interactive_image had XSS via unsanitized SVG content and was handled as a security advisory with a fix and severity rating.

Because ui.navigate.history.* is expected to accept a URL (data) rather than executable code, the library should escape/encode the argument before emitting JavaScript.

PoC

Create a simple app

from nicegui import ui

@ui.page('/')
def index():
    # A link/button a victim could click (attacker can also send the URL directly)
    ui.button('open crafted path', on_click=lambda: ui.navigate.to('/%22);alert(document.domain);//'))

@ui.page('/{payload:path}')
def victim(payload: str):
    ui.label(f'payload = {payload!r}')

    # Vulnerable use: forwarding attacker-controlled path to history.push
    ui.button('trigger', on_click=lambda: ui.navigate.history.push(payload))

ui.run()

Run the app

python app.py

Trigger

  1. Open http://localhost:8080/
  2. Click open crafted path
  3. Click trigger

Expected result: JavaScript executes (an alert showing document.domain).

Impact

  • Vulnerability type: DOM-based XSS
  • Attack vector: attacker-controlled input embedded into JavaScript via ui.navigate.history.push/replace
  • Affected users: any NiceGUI-based application that forwards untrusted input into ui.navigate.history.push() or ui.navigate.history.replace()
  • Potential outcomes: client-side code execution, phishing UI injection, and other typical XSS impacts

References

@falkoschindler falkoschindler published to zauberzeug/nicegui Jan 8, 2026
Published by the National Vulnerability Database Jan 8, 2026
Published to the GitHub Advisory Database Jan 8, 2026
Reviewed Jan 8, 2026
Last updated Jan 8, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(8th percentile)

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

CVE ID

CVE-2026-21871

GHSA ID

GHSA-7grm-h62g-5m97

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.