CVE-2025-66470 is a cross-site scripting (XSS) vulnerability identified in the NiceGUI Python UI framework, specifically in versions 3.3.1 and earlier. The vulnerability stems from the ui.interactive_image component, which renders SVG images using Vue.js's v-html directive without applying any sanitization or escaping. This allows attackers to embed malicious HTML or JavaScript code within the SVG's <foreignObject> tag. When the vulnerable component renders or updates the SVG, the malicious code executes in the context of the user's browser session. This can lead to theft of session tokens, unauthorized actions, or defacement of the user interface. The vulnerability is particularly dangerous in multi-user environments or dashboards that display user-generated content or annotations, as attackers can inject payloads that affect other users. The flaw does not require authentication but does require user interaction to trigger the malicious content rendering. The issue was publicly disclosed on December 9, 2025, and fixed in NiceGUI version 3.4.0. The CVSS v3.1 base score is 6.1 (medium severity), with attack vector network, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality and integrity but not availability. No known exploits have been reported in the wild yet. This vulnerability highlights the risks of rendering untrusted SVG content without sanitization in web applications using modern JavaScript frameworks.

For European organizations, this vulnerability poses a moderate risk primarily to web applications and dashboards built with NiceGUI that incorporate user-generated SVG content. Exploitation can lead to unauthorized disclosure of sensitive information such as session cookies or personal data, potentially enabling further attacks like session hijacking or privilege escalation. Integrity of displayed data can also be compromised, undermining trust in dashboards used for decision-making or monitoring. Since the vulnerability requires user interaction, phishing or social engineering could be leveraged to trigger the attack. The impact is heightened in multi-user environments common in enterprise settings, where one compromised user session can affect others. While availability is not impacted, the confidentiality and integrity breaches could lead to regulatory compliance issues under GDPR if personal data is exposed. Organizations relying on NiceGUI for internal tools, customer-facing portals, or collaborative platforms should consider this vulnerability a significant risk to their web application security posture.

The primary mitigation is to upgrade all NiceGUI instances to version 3.4.0 or later, where the vulnerability is fixed. Until upgrades can be applied, organizations should implement strict input validation and sanitization on any user-generated SVG content before rendering it in the ui.interactive_image component. Employ Content Security Policy (CSP) headers to restrict script execution and reduce the impact of potential XSS payloads. Disable or restrict the use of the <foreignObject> tag in SVGs if possible. Educate users about the risks of interacting with untrusted content and implement monitoring to detect unusual script execution or DOM manipulations. For multi-user applications, apply role-based access controls to limit who can upload or modify SVG content. Regularly audit and review third-party components for security updates. Finally, conduct penetration testing focused on XSS vectors in SVG rendering to identify any residual risks.