CVE-2025-66470: NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content

December 8, 2025 (updated December 9, 2025)

A Cross-Site Scripting (XSS) vulnerability exists in the ui.interactive_image component of NiceGUI (v3.3.1 and earlier). The component renders SVG content using Vue’s v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG <foreignObject> tag.

References

github.com/advisories/GHSA-2m4f-cg75-76w2
github.com/zauberzeug/nicegui
github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3
github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2
nvd.nist.gov/vuln/detail/CVE-2025-66470

Code Behaviors & Features

Detect and mitigate CVE-2025-66470 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →