cbcvebase.
CVE-2025-66469
published 2025-12-09

CVE-2025-66469: NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass…

PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.22%
12.9th percentile
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended or tags by injecting closing tags (e.g., or ), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
zauberzeugnicegui< 3.4.03.4.0
zauberzeugnicegui>= 0 < 3.4.03.4.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.