CVE-2026-21872

Name of the Vulnerable Software and Affected Versions NiceGUI versions 2.22.0 through 3.4.1

Description NiceGUI is a Python-based UI framework susceptible to a cross-site scripting (XSS) issue. The problem stems from an unsafe implementation within the click event listener used by ui.sub pages, coupled with the rendering of attacker-controlled links on the page. When a user clicks on such a link, XSS can occur. The issue involves the ui.sub pages function and the handling of links.

Recommendations Upgrade to NiceGUI version 3.5.0 or later.