CVE-2026-21873: NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS

January 8, 2026

An unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe.

References

github.com/advisories/GHSA-mhpg-c27v-6mxr
github.com/zauberzeug/nicegui
github.com/zauberzeug/nicegui/releases/tag/v3.5.0
github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxr
nvd.nist.gov/vuln/detail/CVE-2026-21873

Code Behaviors & Features

Detect and mitigate CVE-2026-21873 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →