CVE-2026-27156 identifies a cross-site scripting (XSS) vulnerability in the NiceGUI framework, a Python-based UI toolkit used to build interactive web interfaces. The vulnerability exists in versions prior to 3.8.0 and involves several APIs that execute client-side methods, including Element.run_method(), AgGrid.run_grid_method(), and EChart.run_chart_method(). These APIs rely on a JavaScript-side runMethod() function that falls back to using eval() when executing methods. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript code that executes in the victim's browser context. Furthermore, Element.run_method() and Element.get_computed_prop() use unsafe string interpolation instead of JSON serialization (json.dumps()) for method and property names, allowing attackers to inject quotes and break out of the intended string context, facilitating script injection. This improper neutralization of input during web page generation corresponds to CWE-79. The vulnerability does not require authentication but does require user interaction to trigger the malicious payload. The CVSS v3.1 score is 6.1 (medium), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity with no availability impact. The issue was addressed in NiceGUI version 3.8.0 by removing the unsafe eval() fallback and properly serializing inputs to prevent injection. No known exploits are currently reported in the wild.

The vulnerability allows attackers to execute arbitrary JavaScript in the context of users' browsers interacting with affected NiceGUI applications. This can lead to theft of sensitive information such as session tokens, credentials, or personal data, unauthorized actions performed on behalf of users, and potential compromise of user accounts or systems. Since NiceGUI is used to build web-based user interfaces, any organization deploying vulnerable versions may expose their users to targeted XSS attacks. The impact is particularly significant for applications handling sensitive data or critical operations. While the attack requires user interaction, the low complexity and network accessibility increase risk. The integrity of data displayed or processed by the application can be compromised, and confidentiality breaches may occur. Availability is not directly affected. Organizations relying on NiceGUI for internal or external web applications may face reputational damage, regulatory compliance issues, and increased risk of further exploitation if attackers leverage this vulnerability as an initial access vector.

The primary mitigation is to upgrade all NiceGUI deployments to version 3.8.0 or later, where the vulnerability is fixed by eliminating the unsafe eval() fallback and implementing proper JSON serialization for method and property names. Until upgrades can be applied, organizations should implement strict input validation and sanitization on all user inputs that may be passed to client-side method execution APIs. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Review and audit any custom code that interacts with NiceGUI APIs to ensure no unsafe dynamic code execution occurs. Additionally, monitor web application logs for suspicious activity indicative of attempted XSS exploitation. Educate developers and administrators about the risks of using eval() and unsafe string interpolation in web applications. Finally, consider deploying web application firewalls (WAFs) with rules to detect and block common XSS attack patterns targeting NiceGUI endpoints.