DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27156: NiceGUI CVE-2026-27156: When F-Strings Build Bridges to Hell

NiceGUI CVE-2026-27156: When F-Strings Build Bridges to Hell

Vulnerability ID: CVE-2026-27156
CVSS Score: 6.1
Published: 2026-02-24

A critical Cross-Site Scripting (XSS) vulnerability in NiceGUI allows attackers to execute arbitrary JavaScript by injecting malicious payloads into method names. The flaw stems from unsafe string interpolation in the Python backend and a dangerous eval() fallback in the JavaScript frontend.

TL;DR

NiceGUI versions prior to 3.8.0 used Python f-strings to construct JavaScript commands and included an eval() fallback in the client-side code. This allows attackers to break out of string quotas or trigger arbitrary code execution via the run_method API.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network (Reflected)
  • CVSS v3.1: 6.1 (Medium)
  • Impact: Cross-Site Scripting (XSS)
  • Exploit Status: PoC Available
  • Fix Version: 3.8.0

Affected Systems

  • NiceGUI < 3.8.0
  • nicegui: < 3.8.0 (Fixed in: 3.8.0)

Code Analysis

Commit: 1861f59

Fix: verify method_name in run_method and escape it

-        return self.client.run_javascript(f'return runMethod({self.id}, "{name}", {json.dumps(args)})', timeout=timeout)
+        return self.client.run_javascript(
+            f'return runMethod({self.id}, {json.dumps(name)}, {json.dumps(args)})', timeout=timeout,
+        )
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade NiceGUI to version 3.8.0 or later.
  • Avoid passing user-controlled input directly to run_method or run_javascript APIs.
  • Implement Content Security Policy (CSP) to restrict eval and inline scripts.

Remediation Steps:

  1. Run pip list | grep nicegui to check the current version.
  2. Execute pip install --upgrade nicegui to update.
  3. Restart the application server.
  4. Verify the fix by checking nicegui/static/nicegui.js for the removal of the eval() fallback.

References


Read the full report for CVE-2026-27156 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)