CVE-2026-27156 in NiceGUI
Summary
by MITRE • 02/24/2026
NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/24/2026
This vulnerability exists within the NiceGUI Python-based UI framework where client-side execution of methods through JavaScript introduces critical security flaws. The issue stems from the use of eval() fallback mechanisms in the JavaScript-side runMethod() function for multiple APIs including Element.run_method(), AgGrid.run_grid_method(), and EChart.run_chart_method(). These functions process method names through eval() when user input is passed as the method name parameter, creating a direct path for arbitrary JavaScript execution within victims' browsers. The vulnerability represents a classic server-side code injection flaw that manifests on the client-side, enabling remote code execution in the context of the user's browser session.
The technical implementation of this vulnerability exploits string interpolation patterns used in the Element.run_method() and Element.get_computed_prop() functions. Instead of properly sanitizing method names through json.dumps() which would ensure proper escaping and quoting, the framework uses string interpolation that allows attackers to inject quotes and break out of the intended string context. This quote injection vulnerability enables attackers to manipulate the JavaScript execution flow and inject malicious code that executes with the privileges of the victim's browser session. The flaw specifically targets the client-side execution context where user-provided input directly influences JavaScript method invocation, making it particularly dangerous as it operates entirely within the browser environment without server-side intervention.
The operational impact of this vulnerability is severe as it allows attackers to execute arbitrary JavaScript code within victim browsers, potentially leading to session hijacking, data theft, cross-site scripting attacks, and other malicious activities. Attackers can leverage this vulnerability to steal cookies, access sensitive information, manipulate UI elements, or redirect users to malicious sites. The attack vector requires user interaction through a vulnerable page that utilizes the affected APIs, making it particularly insidious as it can be exploited through social engineering or by compromising web applications that use NiceGUI. The vulnerability affects all versions prior to 3.8.0 and demonstrates a failure in proper input validation and sanitization at the client-side execution layer.
Mitigation strategies should focus on upgrading to NiceGUI version 3.8.0 or later where the vulnerability has been addressed through proper input sanitization and elimination of eval() usage. Organizations should implement comprehensive input validation for all user-provided method names and ensure that all client-side method execution uses proper JSON serialization instead of string interpolation. Security teams should conduct thorough code reviews to identify similar patterns in other frameworks or applications that might be vulnerable to the same class of injection attacks. The fix aligns with industry best practices for preventing injection vulnerabilities and represents a fundamental security improvement that addresses both the immediate code execution risk and the underlying sanitization issues. This vulnerability serves as a reminder of the critical importance of avoiding eval() usage in client-side code and proper input handling in web applications, particularly when dealing with dynamic method invocation scenarios that are common in modern UI frameworks.
This vulnerability is categorized under CWE-94 as "Improper Control of Generation of Code ('Code Injection')" and aligns with ATT&CK technique T1566.001 for "Phishing with Malicious Attachments" and T1203 for "Exploitation for Client Execution" in the context of browser-based attacks. The flaw demonstrates how modern UI frameworks can inadvertently introduce security vulnerabilities through client-side code generation patterns that bypass traditional server-side security controls, making it particularly challenging to detect and prevent through conventional security measures.