CVE-2026-21871 identifies a cross-site scripting (XSS) vulnerability in the NiceGUI Python UI framework, specifically in versions from 2.13.0 up to but not including 3.5.0. NiceGUI provides helpers ui.navigate.history.push() and ui.navigate.history.replace() that wrap the browser's History API to update the URL without triggering a page reload. The vulnerability occurs when these helpers are called with attacker-controlled strings that are embedded into generated JavaScript without proper escaping or sanitization. This improper neutralization of input (CWE-79) allows an attacker to craft a malicious URL argument that breaks out of the intended string context and injects arbitrary JavaScript code. When a victim's browser processes this malicious payload, the injected script executes with the privileges of the web application, potentially stealing sensitive information, manipulating the DOM, or performing actions on behalf of the user. Exploitation requires that the vulnerable application passes untrusted input into these navigation functions and that the victim interacts with the malicious link or payload. The vulnerability does not require authentication but does require user interaction (UI:R). The CVSS v3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. The issue has been patched in NiceGUI version 3.5.0, which properly escapes or sanitizes input to prevent script injection. No known exploits are currently reported in the wild. Organizations using affected NiceGUI versions in web applications should prioritize upgrading and review their usage of these navigation APIs to ensure no untrusted input is passed. This vulnerability is particularly relevant for web applications that dynamically update URLs based on user input or external data sources.

For European organizations, this vulnerability poses a risk primarily to web applications built with NiceGUI versions 2.13.0 to 3.4.1 that incorporate untrusted user input into URL navigation functions. Successful exploitation can lead to arbitrary JavaScript execution in users' browsers, compromising confidentiality by exposing session tokens, cookies, or personal data. Integrity may be affected as attackers can manipulate the DOM or perform unauthorized actions on behalf of users. Although availability is not impacted, the reputational damage and potential regulatory consequences under GDPR for data leakage are significant. Sectors with high web application usage such as finance, healthcare, and public services are particularly vulnerable. The requirement for user interaction means phishing or social engineering may be used to lure victims. The medium severity score indicates a moderate but actionable threat. Organizations relying on NiceGUI for internal or customer-facing portals should assess their exposure and remediate promptly to avoid exploitation.

1. Upgrade all NiceGUI instances to version 3.5.0 or later, where the vulnerability is patched. 2. Conduct a thorough code audit to identify any usage of ui.navigate.history.push() and ui.navigate.history.replace() functions, verifying that no untrusted or attacker-controlled input is passed to these APIs. 3. Implement strict input validation and sanitization on all user-supplied data that could influence URL navigation or JavaScript generation. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5. Educate developers on secure coding practices related to client-side navigation and JavaScript injection risks. 6. Monitor web application logs and user reports for suspicious activity indicative of XSS exploitation attempts. 7. For applications where immediate upgrade is not feasible, consider applying runtime mitigations such as input filtering or disabling dynamic URL updates until patched. 8. Incorporate automated security testing tools that detect XSS vulnerabilities during development and deployment cycles.