CVE-2026-21873
published 2026-01-08CVE-2026-21873: NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.23%
14.1th percentile
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zauberzeug | nicegui | — | — |
| zauberzeug | nicegui | >= 2.22.0 < 3.5.0 | 3.5.0 |
| zauberzeug | nicegui | >= 2.22.0 < 3.5.0 | 3.5.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS
ghsa·2026-01-08
CVE-2026-21873 [HIGH] CWE-79 NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS
NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS
### Summary
An unsafe implementation in the `pushstate` event listener used by `ui.sub_pages` allows an attacker to manipulate the fragment identifier of the URL, which _they can do despite being cross-site, using an iframe_.
### Details
The problem is traced as follows:
1. On `pushstate`, `handleStateEvent` is executed.
https://github.com/zauberzeug/nicegui/blob/59fa9424c470f1b12c5d368985fa36e21fda706b/nicegui/elements/sub_pages.js#L38-L39
2. `handleStateEvent` emits `sub_pages_open` event.
https://github.com/zauberzeug/nicegui/blob/59fa9424c470f1b12c5d368985fa36e21fda706b/nicegui/elements/sub_pages.js#L22-L25
3. `SubPagesRouter` (used by `ui.sub_pages`), lisnening on `sub_pages_open`, `_handle_open` runs.
https:
OSV
NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS
osv·2026-01-08
CVE-2026-21873 [HIGH] NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS
NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS
### Summary
An unsafe implementation in the `pushstate` event listener used by `ui.sub_pages` allows an attacker to manipulate the fragment identifier of the URL, which _they can do despite being cross-site, using an iframe_.
### Details
The problem is traced as follows:
1. On `pushstate`, `handleStateEvent` is executed.
https://github.com/zauberzeug/nicegui/blob/59fa9424c470f1b12c5d368985fa36e21fda706b/nicegui/elements/sub_pages.js#L38-L39
2. `handleStateEvent` emits `sub_pages_open` event.
https://github.com/zauberzeug/nicegui/blob/59fa9424c470f1b12c5d368985fa36e21fda706b/nicegui/elements/sub_pages.js#L22-L25
3. `SubPagesRouter` (used by `ui.sub_pages`), lisnening on `sub_pages_open`, `_handle_open` runs.
https:
No detection rules found.
No public exploits indexed.
2026-01-08
Published