CVE-2026-21873

Name of the Vulnerable Software and Affected Versions NiceGUI versions 2.22.0 through 3.4.1

Description NiceGUI is a Python-based UI framework. An unsafe implementation in the pushstate event listener used by ui.sub pages allows an attacker to manipulate the fragment identifier of the URL, even from a different site, using an iframe. This manipulation is possible due to a flaw in how the framework handles URL fragment changes within sub-pages. The pushstate event listener is the component responsible for managing the browser's history state, and its improper implementation allows for cross-site manipulation.

Recommendations Upgrade to NiceGUI version 3.5.0 or later to resolve this issue.