CVE-2026-21871 is a cross-site scripting vulnerability classified under CWE-79 affecting the NiceGUI Python UI framework, specifically versions 2.13.0 up to but not including 3.5.0. NiceGUI provides helpers ui.navigate.history.push() and ui.navigate.history.replace() as wrappers around the browser's History API to update the URL without triggering a page reload. The vulnerability occurs because these methods embed the URL argument directly into generated JavaScript code without proper escaping or sanitization. If an attacker can supply a crafted string as the URL parameter, they can inject malicious JavaScript code that breaks out of the string context and executes arbitrary scripts in the user's browser. This can lead to theft of session tokens, manipulation of page content, or other malicious actions within the context of the affected web application. Exploitation requires the victim to interact with a malicious link or input that triggers the vulnerable code path. The vulnerability does not require authentication but does require user interaction. The scope is limited to applications that pass untrusted input into these navigation methods; applications that do not do so are not affected. The issue was publicly disclosed and patched in NiceGUI version 3.5.0. No known exploits are currently in the wild. The CVSS v3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and partial impact on confidentiality and integrity but no impact on availability.

For European organizations, this vulnerability poses a risk primarily to web applications built using the NiceGUI framework versions 2.13.0 to 3.4.1 that accept and pass untrusted user input into the ui.navigate.history.push() or ui.navigate.history.replace() methods. Successful exploitation can lead to cross-site scripting attacks, enabling attackers to execute arbitrary JavaScript in users' browsers. This can result in theft of sensitive information such as session cookies, credentials, or personal data, potentially violating GDPR requirements on data protection. It can also allow attackers to perform actions on behalf of users, leading to integrity breaches. While the vulnerability does not affect availability, the reputational damage and regulatory consequences of data leakage can be significant. Sectors with high reliance on web applications for customer interaction, such as finance, healthcare, and public services, are particularly vulnerable. Since exploitation requires user interaction, phishing or social engineering campaigns could be used to trigger the attack. The lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before widespread abuse occurs.

1. Upgrade all NiceGUI instances to version 3.5.0 or later, where the vulnerability is patched. 2. Audit all web applications using NiceGUI to identify any usage of ui.navigate.history.push() or ui.navigate.history.replace() methods. 3. Ensure that no untrusted or user-controlled input is passed directly into these methods without proper validation and escaping. 4. Implement strict input validation and sanitization on any data that could influence URL parameters or navigation functions. 5. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 6. Educate developers on secure coding practices related to client-side navigation and JavaScript injection risks. 7. Monitor web application logs and user reports for suspicious activity indicative of XSS exploitation attempts. 8. Consider using web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting these functions. 9. Conduct security testing, including automated and manual penetration tests, focusing on client-side injection vectors involving the History API wrappers.