CVE-2026-25516

MEDIUM

6.1

Descripcion

NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0.

Detalles CVE

Puntuacion CVSS v3.16.1

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioREQUIRED

Publicado2/6/2026

Ultima modificacion2/20/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

zauberzeug:nicegui

Debilidades (CWE)

CWE-79

Referencias

https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561(security-advisories@github.com)

https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282(security-advisories@github.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.