Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total4
Critical0
High1
Medium3
Reset
Showing 1-4 of 4 records
Threat Entry Updated 2026-01-15

CVE-2026-21873 - Nicegui Plugin

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.

PLUGIN Nicegui

CVE-2026-21873

HIGH CVSS 7.2 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-01-15

CVE-2026-21872 - Nicegui Plugin

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.

PLUGIN Nicegui

CVE-2026-21872

MEDIUM CVSS 6.1 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-01-15

CVE-2026-21871 - Nicegui Plugin

NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has…

PLUGIN Nicegui

CVE-2026-21871

MEDIUM CVSS 6.1 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-01-15

CVE-2026-21874 - Nicegui Plugin

NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.

PLUGIN Nicegui

CVE-2026-21874

MEDIUM CVSS 5.3 2026-01-08
Open Full Technical Breakdown
Scroll to top