CVE-2025-66470

Name of the Vulnerable Software and Affected Versions NiceGUI versions 3.3.1 and below

Description NiceGUI, a Python-based UI framework, has an issue where the ui.interactive image component can be exploited for cross-site scripting (XSS). The component renders Scalable Vector Graphics (SVG) content using Vue's v-html directive without proper sanitization. This allows attackers to inject malicious HTML or JavaScript code through the SVG <foreignObject> tag when the image component is rendered or updated. This is especially concerning in applications that display user-generated content or annotations, such as dashboards or multi-user applications.

Recommendations Update to version 3.4.0 or later.