NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| nicegui(PyPI) | 0 | 3.4.0 | N/A |
CVSS Metrics
