NIXPKGS-2026-0372

GitHub issue published on

Permalink CVE-2026-27156

6.1 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 4 weeks ago
@LeSuisse ignored
3 packages
- python312Packages.nicegui-highcharts
- python313Packages.nicegui-highcharts
- python314Packages.nicegui-highcharts
2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

NiceGUI has XSS via Code Injection

NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.

References

https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq x_refsource_CONFIRM
https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf x_refsource_MISC

Affected products

nicegui

==< 3.8.0

Matching in nixpkgs

pkgs.python312Packages.nicegui

Module to create web-based user interfaces

nixos-25.11 3.1.0
- nixos-25.11-small 3.1.0
- nixpkgs-25.11-darwin 3.1.0

pkgs.python313Packages.nicegui

Module to create web-based user interfaces

nixos-unstable 3.7.1
- nixpkgs-unstable 3.7.1
- nixos-unstable-small 3.7.1
nixos-25.11 3.1.0
- nixos-25.11-small 3.1.0
- nixpkgs-25.11-darwin 3.1.0

pkgs.python314Packages.nicegui

Module to create web-based user interfaces

nixos-unstable 3.7.1
- nixpkgs-unstable 3.7.1
- nixos-unstable-small 3.7.1

Ignored packages (3)

pkgs.python312Packages.nicegui-highcharts

NiceGUI with support for Highcharts

nixos-25.11 3.1.0
- nixos-25.11-small 3.1.0
- nixpkgs-25.11-darwin 3.1.0

pkgs.python313Packages.nicegui-highcharts

NiceGUI with support for Highcharts

nixos-unstable 3.1.0
- nixpkgs-unstable 3.2.0
- nixos-unstable-small 3.2.0
nixos-25.11 3.1.0
- nixos-25.11-small 3.1.0
- nixpkgs-25.11-darwin 3.1.0

pkgs.python314Packages.nicegui-highcharts

NiceGUI with support for Highcharts

nixos-unstable 3.1.0
- nixpkgs-unstable 3.2.0
- nixos-unstable-small 3.2.0

Package maintainers

@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Upstream advisory: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq
Upstream patch: https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0372

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.nicegui

pkgs.python313Packages.nicegui

pkgs.python314Packages.nicegui

pkgs.python312Packages.nicegui-highcharts

pkgs.python313Packages.nicegui-highcharts

pkgs.python314Packages.nicegui-highcharts

Package maintainers