Description

NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.

INFO

Published Date :

2026-02-24T17:00:21.628Z

Last Modified :

2026-02-26T21:33:40.507Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27156 vulnerability.

Vendors Products
Zauberzeug
  • Nicegui
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27156.

URL Resource
https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf cve-icon cve-icon
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact