CVE-2026-21872: NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links

January 8, 2026

An unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes an XSS when the user actively clicks on the link.

References

github.com/advisories/GHSA-m7j5-rq9j-6jj9
github.com/zauberzeug/nicegui
github.com/zauberzeug/nicegui/releases/tag/v3.5.0
github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9
nvd.nist.gov/vuln/detail/CVE-2026-21872

Code Behaviors & Features

Detect and mitigate CVE-2026-21872 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →