6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-21872

CVE-2026-21872: NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-21872

CVE-2026-21872:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nicegui	pip	>= 2.22.0, <= 3.4.1	3.5.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the nicegui library, specifically within the ui.sub_pages functionality. The advisory points to the _handle_navigate function in nicegui/sub_pages_router.py as the source of the vulnerability. By analyzing the patch that fixes the issue, it's clear that the vulnerability lies in how JavaScript code is generated. The original code used a Python f-string to directly inject a path into a JavaScript snippet. This path could be manipulated by an attacker to include malicious JavaScript. The patch fixes this by using json.dumps to properly escape the path, preventing the XSS attack. Therefore, the SubPagesRouter._handle_navigate function is the vulnerable function that would appear in a runtime profile during exploitation.

Vulnerable functions

SubPagesRouter._handle_navigate

nicegui/sub_pages_router.py

The function `_handle_navigate` in `SubPagesRouter` is vulnerable to Cross-Site Scripting (XSS). It constructs a JavaScript string for `client.run_javascript` using an f-string with user-controllable input (`self.current_path`) without proper escaping. An attacker can provide a malicious path that breaks out of the string literal in the generated JavaScript, allowing for the execution of arbitrary JavaScript code in the user's browser when a link is clicked.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-21872: NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links

CVE-2026-21872:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2026-21872: NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links

Basic Information

Basic Information

6.1

6.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI