CVE-2026-21871

Name of the Vulnerable Software and Affected Versions NiceGUI versions 2.13.0 through 3.4.1

Description NiceGUI is a Python-based UI framework susceptible to a cross-site scripting (XSS) issue. The issue arises when developers provide attacker-controlled strings to the ui.navigate.history.push() or ui.navigate.history.replace() functions. These functions, designed as History API wrappers for updating the browser URL without a page reload, can allow a crafted payload to execute arbitrary JavaScript in the victim’s browser if the URL argument is embedded into generated JavaScript without proper escaping. Applications that do not pass untrusted input into these functions are not affected. The functions ui.navigate.history.push() and ui.navigate.history.replace() are vulnerable.

Recommendations NiceGUI versions 2.13.0 through 3.4.1 should be updated to version 3.5.0 or later.