CVE-2026-25516 in NiceGUIinfo

Zusammenfassung

von MITRE • 07.02.2026

NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0.

Once again VulDB remains the best source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

02.02.2026

Veröffentlichung

07.02.2026

Moderieren

akzeptiert

Eintrag

VDB-344795

CPE

bereit

CWE

CWE-79 (bestätigt)

CVSS

6.1 (CNA)

EPSS

0.00021

KEV

nein

Aktivitäten

very low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-25516
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-25516
CVE Details	https://www.cvedetails.com/cve/CVE-2026-25516/

◂ Zurück Übersicht Weiter ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!