CVE-2025-53354

Name of the Vulnerable Software and Affected Versions NiceGUI versions prior to 3.0.0

Description NiceGUI, a Python-based UI framework, is susceptible to Cross-Site Scripting (XSS) when developers render unescaped user input into the DOM using ui.html(). The framework did not enforce HTML or JavaScript sanitization before version 3.0.0, allowing attackers to execute arbitrary JavaScript in a user’s browser if applications directly combine components like ui.input() with ui.html() or ui.chat message with HTML content without proper escaping. The vulnerable code path occurs when user input is rendered verbatim into the page’s DOM via innerHTML. A proof of concept demonstrates that injecting a malicious payload, such as <img src=x onerror=alert('XSS')>, triggers a JavaScript alert. The issue affects applications that directly reflect user input via ui.html() or ui.chat message in HTML mode, potentially leading to client-side code execution, including session hijacking or phishing.

Recommendations Update to NiceGUI version 3.0.0 or later to resolve this issue.