Description

NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0.

INFO

Published Date :

2026-02-06T21:12:19.501Z

Last Modified :

2026-02-09T15:27:15.351Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25516 vulnerability.

Vendors Products
Zauberzeug
  • Nicegui
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25516.

URL Resource
https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561 cve-icon cve-icon
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact