CVE-2025-66470 is a medium-severity cross-site scripting (XSS) vulnerability affecting the NiceGUI Python-based UI framework, specifically versions up to 3.3.1. The vulnerability exists in the ui.interactive_image component, which renders SVG content using Vue.js's v-html directive without any sanitization or escaping. This unsafe rendering allows attackers to inject malicious HTML or JavaScript code through the SVG <foreignObject> tag. When the vulnerable component is rendered or updated, the injected code executes in the context of the user's browser, potentially leading to theft of sensitive information such as session cookies, user credentials, or enabling further attacks like account takeover or unauthorized actions. This is particularly dangerous in dashboards or multi-user applications where user-generated content or annotations are displayed, as attackers can craft SVG payloads that execute when viewed by other users. The vulnerability does not require authentication but does require user interaction (e.g., viewing or updating the image component). The CVSS 3.1 score is 6.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. The issue was publicly disclosed on December 9, 2025, and is fixed in NiceGUI version 3.4.0. No known exploits are reported in the wild yet. Organizations using affected versions should upgrade promptly to mitigate risk.

For European organizations, this vulnerability poses a risk primarily to web applications built with NiceGUI versions below 3.4.0 that utilize the ui.interactive_image component to render SVG content, especially those that accept or display user-generated content. Successful exploitation can lead to unauthorized disclosure of sensitive information, such as session tokens or personal data, violating GDPR requirements and potentially resulting in regulatory penalties. Integrity of displayed data can be compromised, misleading users or enabling fraudulent actions. Although availability is not impacted, the reputational damage and trust erosion from XSS attacks can be significant. Sectors with high reliance on interactive dashboards or collaborative tools—such as finance, healthcare, and government—are particularly vulnerable. The requirement for user interaction means phishing or social engineering could be used to trigger the exploit. Given the cross-site scripting nature, attackers could also leverage this vulnerability to pivot to other internal systems or escalate privileges within the affected environment.

European organizations should immediately upgrade NiceGUI to version 3.4.0 or later, where the vulnerability is fixed. Until upgrading is possible, implement strict input validation and sanitization on any user-generated SVG content before rendering it in the ui.interactive_image component. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and limit the impact of injected code. Disable or restrict the use of the <foreignObject> tag in SVGs if feasible. Conduct thorough code reviews and penetration testing focused on SVG rendering components. Educate developers and users about the risks of injecting or accepting untrusted SVG content. Monitor web application logs for suspicious activity related to SVG uploads or rendering. Consider deploying web application firewalls (WAFs) with rules targeting XSS payloads in SVG content. Finally, maintain an inventory of applications using NiceGUI to ensure all affected instances are identified and remediated.