CVE-2025-66469 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the NiceGUI Python UI framework, specifically affecting versions prior to 3.4.0. The vulnerability stems from the ui.add_css, ui.add_scss, and ui.add_sass functions, which fail to properly sanitize or encode user input before embedding it into JavaScript contexts within web pages. This improper neutralization allows attackers to inject malicious payloads by inserting closing tags such as </style> or </script>, effectively breaking out of the intended CSS or script blocks and executing arbitrary JavaScript code in the victim's browser. The attack vector is remote and requires no privileges or authentication but does require user interaction, such as clicking a crafted link or visiting a malicious page. The vulnerability impacts confidentiality and integrity by enabling theft of session tokens, user credentials, or performing actions on behalf of the user. Availability is not directly affected. The vulnerability has a CVSS 3.1 base score of 6.1, indicating medium severity, with a vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. No known exploits have been reported in the wild as of the publication date. The issue is resolved in NiceGUI version 3.4.0, which implements proper input sanitization and encoding to prevent script injection. Organizations using NiceGUI in web-facing applications should upgrade promptly to mitigate risk.

For European organizations, this vulnerability poses a moderate risk primarily to web applications built with NiceGUI versions below 3.4.0. Successful exploitation can lead to unauthorized disclosure of sensitive information such as session cookies or personal data, undermining user privacy and potentially violating GDPR requirements. Attackers could also manipulate the integrity of displayed content or perform actions on behalf of users, leading to reputational damage and operational disruptions. While the vulnerability does not directly affect system availability, the indirect consequences of compromised user trust and potential regulatory penalties can be significant. Sectors with high reliance on web interfaces, including finance, healthcare, and public services, are particularly vulnerable. The lack of authentication requirement and ease of exploitation increase the likelihood of targeted phishing or social engineering campaigns leveraging this flaw. However, the absence of known active exploits reduces immediate risk, though proactive patching remains critical.

European organizations should immediately upgrade all NiceGUI deployments to version 3.4.0 or later to eliminate the vulnerability. Where immediate upgrading is not feasible, implement strict input validation and sanitization on all user-supplied data passed to ui.add_css, ui.add_scss, and ui.add_sass functions, ensuring that injected content cannot break out of style or script contexts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Conduct thorough code reviews and penetration testing focused on client-side injection vectors in applications using NiceGUI. Educate users and administrators about the risks of clicking untrusted links and the importance of applying security updates promptly. Monitor web application logs for suspicious requests that may indicate attempted exploitation. Additionally, consider implementing web application firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting NiceGUI endpoints.