CVE-2026-27156

NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf	Patch
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-24 18:29

Updated : 2026-02-26 18:10

NVD link : CVE-2026-27156

Mitre link : CVE-2026-27156

CVE.ORG link : CVE-2026-27156

JSON object : View

Products Affected

zauberzeug

nicegui

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-27156", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2026-02-24T18:29:33.490", "references": [{"url": "https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix."}, {"lang": "es", "value": "NiceGUI es un framework de Interfaz de Usuario basado en Python. Antes de la versi\u00f3n 3.8.0, varias APIs de NiceGUI que ejecutan m\u00e9todos en elementos del lado del cliente ('Element.run_method()', 'AgGrid.run_grid_method()', 'EChart.run_chart_method()' y otras) usan un mecanismo de reserva 'eval()' en la funci\u00f3n 'runMethod()' del lado de JavaScript. Cuando se pasa una entrada controlada por el usuario como nombre del m\u00e9todo, un atacante puede inyectar JavaScript arbitrario que se ejecuta en el navegador de la v\u00edctima. Adem\u00e1s, 'Element.run_method()' y 'Element.get_computed_prop()' usaban interpolaci\u00f3n de cadenas en lugar de 'json.dumps()' para el nombre del m\u00e9todo/propiedad, lo que permit\u00eda la inyecci\u00f3n de comillas para escapar del contexto de cadena previsto. La versi\u00f3n 3.8.0 contiene una correcci\u00f3n."}], "lastModified": "2026-02-26T18:10:00.633", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1FE39EE2-B868-4B38-8F63-309587634F75", "versionEndExcluding": "3.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}