CVE-2026-27156 is a medium severity cross-site scripting (XSS) vulnerability affecting the NiceGUI Python UI framework versions prior to 3.8.0. The vulnerability stems from the way several NiceGUI APIs—specifically Element.run_method(), AgGrid.run_grid_method(), EChart.run_chart_method(), and others—execute methods on client-side elements. These APIs rely on a JavaScript-side runMethod() function that falls back to using eval() when executing method names. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript code that executes in the victim's browser context. Additionally, Element.run_method() and Element.get_computed_prop() use unsafe string interpolation instead of proper JSON serialization (json.dumps()) for method and property names, enabling quote injection that breaks out of the intended string context and facilitates code injection. This improper neutralization of input during web page generation is classified under CWE-79. The vulnerability requires user interaction (e.g., clicking a malicious link or visiting a crafted page) but does not require authentication or privileges. The scope is confined to the client-side execution context, impacting confidentiality and integrity by enabling theft of sensitive data or session tokens and manipulation of client-side logic. The vulnerability was fixed in NiceGUI version 3.8.0 by removing the unsafe eval() fallback and properly serializing inputs to prevent injection. No known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 6.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and partial confidentiality and integrity impact.

The primary impact of CVE-2026-27156 is the potential for attackers to execute arbitrary JavaScript in the browsers of users interacting with vulnerable NiceGUI applications. This can lead to theft of sensitive information such as session cookies, credentials, or personal data, enabling account takeover or unauthorized access. Attackers may also manipulate client-side application logic, potentially altering displayed data or triggering unauthorized actions. Although the vulnerability does not directly affect server availability, successful exploitation can undermine user trust and lead to reputational damage. Organizations relying on NiceGUI for internal or external web interfaces face risks of data leakage and client-side compromise. Since exploitation requires user interaction, phishing or social engineering campaigns could be used to lure victims. The vulnerability affects all deployments using NiceGUI versions prior to 3.8.0, which may include enterprise dashboards, monitoring tools, or customer-facing portals built with this framework. The absence of known exploits in the wild suggests limited active exploitation currently, but the presence of a straightforward injection vector and the use of eval() make this a significant risk if left unpatched.

To mitigate CVE-2026-27156, organizations should immediately upgrade all NiceGUI deployments to version 3.8.0 or later, where the vulnerability has been fixed by removing unsafe eval() usage and implementing proper JSON serialization for method and property names. Developers should audit their code to ensure no user-controlled input is passed directly to client-side eval() or similar dynamic code execution functions. Implement strict input validation and sanitization on all user inputs that influence client-side method calls. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS attacks. Educate users to be cautious of unsolicited links or inputs that could trigger malicious client-side code. Regularly monitor NiceGUI project updates and security advisories for any further vulnerabilities. Conduct penetration testing and code reviews focusing on client-side code execution paths to detect similar injection risks. If upgrading immediately is not feasible, consider applying custom patches to disable or sanitize the affected APIs, though this is less reliable than upgrading.