CVE-2026-27156
published 2026-02-24CVE-2026-27156: NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`…
PriorityP430medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.16%
5.9th percentile
NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zauberzeug | nicegui | < 3.8.0 | 3.8.0 |
| zauberzeug | nicegui | >= 0 < 3.8.0 | 3.8.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
NiceGUI vulnerable to XSS via Code Injection during client-side element function execution
osv·2026-02-24
CVE-2026-27156 [MEDIUM] NiceGUI vulnerable to XSS via Code Injection during client-side element function execution
NiceGUI vulnerable to XSS via Code Injection during client-side element function execution
### Summary
Several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser.
Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context.
### Attack Vector
An attacker crafts a malicious URL with a payload as a query parameter. If the
GHSA
NiceGUI vulnerable to XSS via Code Injection during client-side element function execution
ghsa·2026-02-24
CVE-2026-27156 [MEDIUM] CWE-79 NiceGUI vulnerable to XSS via Code Injection during client-side element function execution
NiceGUI vulnerable to XSS via Code Injection during client-side element function execution
### Summary
Several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser.
Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context.
### Attack Vector
An attacker crafts a malicious URL with a payload as a query parameter. If the
No detection rules found.
No public exploits indexed.
2026-02-24
Published