What is the severity of CVE-2026-21872?

CVE-2026-21872 has a CVSS v3 score of 6.1, which is classified as Medium severity.

Is there an exploit available for CVE-2026-21872?

No known public exploits are currently available for CVE-2026-21872.

Is there a patch available for CVE-2026-21872?

Yes, patches are available for CVE-2026-21872. Check the vendor advisories for update instructions.

CVE-2026-21872 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v36.1

CVSS v20.0

Priority Score272.0

EPSS Score0.0

Medium

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

6.1

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

An unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes an XSS when the user actively clicks on the link.

Details

On click, eventually sub_pages_navigate event is emitted. https://github.com/zauberzeug/nicegui/blob/59fa9424c470f1b12c5d368985fa36e21fda706b/nicegui/elements/sub_pages.js#L41-L63
SubPagesRouter (used by ui.sub_pages), lisnening on sub_pages_navigate, _handle_navigate runs. https://github.com/zauberzeug/nicegui/blob/59fa9424c470f1b12c5d368985fa36e21fda706b/nicegui/sub_pages_router.py#L18-L22
_handle_navigate runs run_javascript with f-string substituting self.current_path which is simply surrounded by double-quotes. The string context can be broken out easily.

https://github.com/zauberzeug/nicegui/blob/59fa9424c470f1b12c5d368985fa36e21fda706b/nicegui/sub_pages_router.py#L73-L88

PoC

The minimal PoC boils down to this:

from nicegui import ui

ui.sub_pages({'/': lambda: ui.link('Go to XSS', '/"+alert(1)+"')})

ui.run()

However, it is more likely that the attack takes place with attacker-controlled input, for which this shows it:

from nicegui import app, ui

ui.sub_pages({'/': lambda: ui.label('Hello, World!')})

ui.textarea('Markdown content').bind_value(app.storage.general, 'markdown_content')

ui.markdown().bind_content_from(app.storage.general, 'markdown_content')

ui.run()

Vulnerable input is [XSS LINK](/"+alert(document.domain)+") (causes double payload execution, though)

Both cases require someone to click on the link.

Impact

Any page which uses ui.sub_pages and renders arbitrary links on screen (common case of ) is affected.

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Required

Scope:Changed

Confidentiality:Local

Integrity:Local

Availability:Network

Patch References

Github.com Security [email protected]

CVE-2026-21872

Summary

Details

PoC

Impact

Appendix

Scoring update after manual review