What is CVE-2026-21871?

### Summary XSS risk exists in NiceGUI when developers pass attacker-controlled strings into `ui.navigate.history.push()` or `ui.navigate.history.replace()`. These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. **Applications that do not pass untrusted input into `ui.navigate.history.push/replace` are not affected.** ### Details NiceGUI provides `ui.navigate.history.push(url)` and `ui.navigate.history.replace(url)` to update the URL using the browser History API. If an application forwards user-controlled data (e.g., URL path segments, query parameters like `next=...`, form values, etc.) into these methods, an attacker can inject characters such as quotes and statement terminators to escape the JavaScript string context and execute arbitrary code. A vulnerable pattern is: - attacker controls a value (e.g., via the request path), - the application passes it to `ui.navigate.history.push(payload)` (or `replace`). This is similar in spirit to other NiceGUI XSS advisories: - `ui.html()`,`ui.chat_message()` can cause XSS when developers render untrusted input as HTML (XSS risk/footgun). - `ui.interactive_image` had XSS via unsanitized SVG content and was handled as a security advisory with a fix and severity rating. Because `ui.navigate.history.*` is expected to accept a URL (data) rather than executable code, the library should escape/encode the argument before emitting JavaScript. ### PoC #### Create a simple app ```python from nicegui import ui @ui.page('/') def index(): # A link/button a victim could click (attacker can also send the URL directly) ui.button('open crafted path', on_click=lambda: ui.navigate.to('/%22);alert(document.domain);//')) @ui.page('/{payload:path}') def victim(payload: str): ui.label(f'payload = {payload!r}') # Vulnerable use: forwarding attacker-controlled path to history.push ui.button('trigger', on_click=lambda: ui.navigate.history.push(payload)) ui.run() ``` #### Run the app ```bash python app.py ``` #### Trigger 1. Open `http://localhost:8080/` 2. Click `open crafted path` 3. Click `trigger` Expected result: JavaScript executes (an alert showing `document.domain`). ### Impact - Vulnerability type: DOM-based XSS - Attack vector: attacker-controlled input embedded into JavaScript via `ui.navigate.history.push/replace` - Affected users: any NiceGUI-based application that forwards untrusted input into `ui.navigate.history.push()` or `ui.navigate.history.replace()` - Potential outcomes: client-side code execution, phishing UI injection, and other typical XSS impacts

What is the severity of CVE-2026-21871?

CVE-2026-21871 has a CVSS v3 score of 6.1, which is classified as Medium severity.

Is there an exploit available for CVE-2026-21871?

No known public exploits are currently available for CVE-2026-21871.

Is there a patch available for CVE-2026-21871?

Yes, patches are available for CVE-2026-21871. Check the vendor advisories for update instructions.

CVE-2026-21871 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v36.1

CVSS v20.0

Priority Score272.0

EPSS Score0.0

Medium

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

6.1

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

XSS risk exists in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser.

Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected.

Details

NiceGUI provides ui.navigate.history.push(url) and ui.navigate.history.replace(url) to update the URL using the browser History API. If an application forwards user-controlled data (e.g., URL path segments, query parameters like next=..., form values, etc.) into these methods, an attacker can inject characters such as quotes and statement terminators to escape the JavaScript string context and execute arbitrary code.

A vulnerable pattern is:

attacker controls a value (e.g., via the request path),
the application passes it to ui.navigate.history.push(payload) (or replace).

This is similar in spirit to other NiceGUI XSS advisories:

ui.html(),ui.chat_message() can cause XSS when developers render untrusted input as HTML (XSS risk/footgun).
ui.interactive_image had XSS via unsanitized SVG content and was handled as a security advisory with a fix and severity rating.

Because ui.navigate.history.* is expected to accept a URL (data) rather than executable code, the library should escape/encode the argument before emitting JavaScript.

PoC

Create a simple app

from nicegui import ui

@ui.page('/')
def index():
    # A link/button a victim could click (attacker can also send the URL directly)
    ui.button('open crafted path', on_click=lambda: ui.navigate.to('/%22);alert(document.domain);//'))

@ui.page('/{payload:path}')
def victim(payload: str):
    ui.label(f'payload = {payload!r}')

    # Vulnerable use: forwarding attacker-controlled path to history.push
    ui.button('trigger', on_click=lambda: ui.navigate.history.push(payload))

ui.run()

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Required

Scope:Changed

Confidentiality:Local

Integrity:Local

Availability:Network

Patch References

Github.com Security [email protected]