NiceGUI CVE-2026-27156: When F-Strings Build Bridges to Hell
Vulnerability ID: CVE-2026-27156
CVSS Score: 6.1
Published: 2026-02-24
A critical Cross-Site Scripting (XSS) vulnerability in NiceGUI allows attackers to execute arbitrary JavaScript by injecting malicious payloads into method names. The flaw stems from unsafe string interpolation in the Python backend and a dangerous eval() fallback in the JavaScript frontend.
TL;DR
NiceGUI versions prior to 3.8.0 used Python f-strings to construct JavaScript commands and included an eval() fallback in the client-side code. This allows attackers to break out of string quotas or trigger arbitrary code execution via the run_method API.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network (Reflected)
- CVSS v3.1: 6.1 (Medium)
- Impact: Cross-Site Scripting (XSS)
- Exploit Status: PoC Available
- Fix Version: 3.8.0
Affected Systems
- NiceGUI < 3.8.0
-
nicegui: < 3.8.0 (Fixed in:
3.8.0)
Code Analysis
Commit: 1861f59
Fix: verify method_name in run_method and escape it
- return self.client.run_javascript(f'return runMethod({self.id}, "{name}", {json.dumps(args)})', timeout=timeout)
+ return self.client.run_javascript(
+ f'return runMethod({self.id}, {json.dumps(name)}, {json.dumps(args)})', timeout=timeout,
+ )
Exploit Details
- GitHub Security Advisory: Advisory containing description of the quote injection vector
Mitigation Strategies
- Upgrade NiceGUI to version 3.8.0 or later.
- Avoid passing user-controlled input directly to
run_methodorrun_javascriptAPIs. - Implement Content Security Policy (CSP) to restrict
evaland inline scripts.
Remediation Steps:
- Run
pip list | grep niceguito check the current version. - Execute
pip install --upgrade niceguito update. - Restart the application server.
- Verify the fix by checking
nicegui/static/nicegui.jsfor the removal of theeval()fallback.
References
Read the full report for CVE-2026-27156 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)