CVE-2026-21872 is a medium-severity cross-site scripting (XSS) vulnerability affecting the NiceGUI Python UI framework versions 2.22.0 up to 3.4.1. The vulnerability stems from an unsafe implementation in the click event listener mechanism used by the ui.sub_pages component. Specifically, the framework improperly neutralizes input during web page generation, allowing attacker-controlled links to inject malicious scripts. When a user clicks such a crafted link, the malicious payload executes in the context of the victim's browser, potentially leading to theft of sensitive information, session hijacking, or manipulation of the UI. The vulnerability requires no authentication but does require user interaction (clicking the link). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates that the attack can be launched remotely over the network with low complexity and no privileges, but user interaction is necessary. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable code, increasing risk. Although no known exploits are currently in the wild, the vulnerability poses a significant risk to applications using NiceGUI in the affected versions. The issue was patched in version 3.5.0, which properly sanitizes inputs and secures the click event listener implementation to prevent script injection.

For European organizations, the impact of this vulnerability can be significant, especially for those deploying web applications or internal tools using NiceGUI versions 2.22.0 to 3.4.1. Successful exploitation can lead to the compromise of user sessions, theft of sensitive data such as authentication tokens or personal information, and unauthorized manipulation of the user interface. This can result in data breaches, loss of user trust, and potential regulatory non-compliance under GDPR if personal data is exposed. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to lure users into clicking malicious links, increasing the attack surface. The medium severity rating reflects that while availability is not impacted, confidentiality and integrity are at risk. Organizations with public-facing NiceGUI applications are at higher risk, but internal deployments can also be targeted by insider threats or lateral movement attacks. The absence of known exploits in the wild provides a window for proactive mitigation before widespread exploitation occurs.

European organizations should immediately upgrade all NiceGUI deployments to version 3.5.0 or later to apply the official patch that addresses this XSS vulnerability. Until upgrades can be completed, implement strict input validation and output encoding on any user-controllable data rendered in the UI, especially in components using ui.sub_pages and click event listeners. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Conduct security awareness training to educate users about the risks of clicking suspicious links, particularly in environments where NiceGUI is used. Regularly audit and monitor web application logs for unusual click patterns or script injection attempts. Additionally, consider deploying web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting NiceGUI applications. Finally, maintain an inventory of all NiceGUI instances to ensure comprehensive patch management and vulnerability tracking.