Summary
XSS risk exists in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser.
Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected.
Details
NiceGUI provides ui.navigate.history.push(url) and ui.navigate.history.replace(url) to update the URL using the browser History API. If an application forwards user-controlled data (e.g., URL path segments, query parameters like next=..., form values, etc.) into these methods, an attacker can inject characters such as quotes and statement terminators to escape the JavaScript string context and execute arbitrary code.
A vulnerable pattern is:
- attacker controls a value (e.g., via the request path),
- the application passes it to
ui.navigate.history.push(payload)(orreplace).
This is similar in spirit to other NiceGUI XSS advisories:
ui.html(),ui.chat_message()can cause XSS when developers render untrusted input as HTML (XSS risk/footgun).ui.interactive_imagehad XSS via unsanitized SVG content and was handled as a security advisory with a fix and severity rating.
Because ui.navigate.history.* is expected to accept a URL (data) rather than executable code, the library should escape/encode the argument before emitting JavaScript.
PoC
Create a simple app
from nicegui import ui
@ui.page('/')
def index():
# A link/button a victim could click (attacker can also send the URL directly)
ui.button('open crafted path', on_click=lambda: ui.navigate.to('/%22);alert(document.domain);//'))
@ui.page('/{payload:path}')
def victim(payload: str):
ui.label(f'payload = {payload!r}')
# Vulnerable use: forwarding attacker-controlled path to history.push
ui.button('trigger', on_click=lambda: ui.navigate.history.push(payload))
ui.run()
Run the app
python app.py
Trigger
- Open
http://localhost:8080/ - Click
open crafted path - Click
trigger
Expected result: JavaScript executes (an alert showing document.domain).
Impact
- Vulnerability type: DOM-based XSS
- Attack vector: attacker-controlled input embedded into JavaScript via
ui.navigate.history.push/replace - Affected users: any NiceGUI-based application that forwards untrusted input into
ui.navigate.history.push()orui.navigate.history.replace() - Potential outcomes: client-side code execution, phishing UI injection, and other typical XSS impacts
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
CVE-2026-21871 has a CVSS score of 6.1 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.5.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-21871? CVE-2026-21871 is a medium-severity cross-site scripting (XSS) vulnerability in nicegui (pip), affecting versions >= 2.13.0, <= 3.4.1. It is fixed in 3.5.0. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- How severe is CVE-2026-21871? CVE-2026-21871 has a CVSS score of 6.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of nicegui are affected by CVE-2026-21871? nicegui (pip) versions >= 2.13.0, <= 3.4.1 is affected.
- Is there a fix for CVE-2026-21871? Yes. CVE-2026-21871 is fixed in 3.5.0. Upgrade to this version or later.
- Is CVE-2026-21871 exploitable, and should I be worried? Whether CVE-2026-21871 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-21871 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-21871? Upgrade
niceguito 3.5.0 or later.