CVE-2026-27156

Name of the Vulnerable Software and Affected Versions NiceGUI versions prior to 3.8.0

Description NiceGUI APIs, including Element.run method(), AgGrid.run grid method(), EChart.run chart method(), and others, utilized an eval() fallback within the JavaScript-side runMethod() function. This allowed for arbitrary JavaScript execution in the victim’s browser when user-controlled input was provided as the method name. Additionally, Element.run method() and Element.get computed prop() used string interpolation instead of json.dumps() for method/property names, enabling quote injection to bypass intended string context. An attacker could craft a malicious URL with a payload as a query parameter and, if the application passes this parameter as a method name to any of the affected APIs, the payload is sent to the client via WebSocket and executed. This could lead to cookie/token theft, DOM manipulation, and actions performed as the victim user. The affected methods include: Element.run method(), Element.get computed prop(), AgGrid.run grid method(), AgGrid.run row method(), EChart.run chart method(), JsonEditor.run editor method(), Xterm.run terminal method(), Leaflet.run map method(), Leaflet.run layer method(), and LeafletLayer.run method().

Recommendations Update to NiceGUI version 3.8.0 or later. If updating is not immediately possible, utilize ui.run javascript() instead of passing JavaScript functions as method names. For example, replace row = await grid.run grid method('g => g.getDisplayedRowAtIndex(0).data') with row = await ui.run javascript(f'return getElement({grid.id}).api.getDisplayedRowAtIndex(0).data').