FKIE_CVE-2026-27156

Vulnerability from fkie_nvd - Published: 2026-02-24 18:29 - Updated: 2026-02-26 18:10
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.
References
security-advisories@github.comhttps://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbfPatch
security-advisories@github.comhttps://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqqMitigation, Vendor Advisory
Impacted products
Vendor Product Version
zauberzeug nicegui *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1FE39EE2-B868-4B38-8F63-309587634F75",
              "versionEndExcluding": "3.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim\u0027s browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix."
    },
    {
      "lang": "es",
      "value": "NiceGUI es un framework de Interfaz de Usuario basado en Python. Antes de la versi\u00f3n 3.8.0, varias APIs de NiceGUI que ejecutan m\u00e9todos en elementos del lado del cliente (\u0027Element.run_method()\u0027, \u0027AgGrid.run_grid_method()\u0027, \u0027EChart.run_chart_method()\u0027 y otras) usan un mecanismo de reserva \u0027eval()\u0027 en la funci\u00f3n \u0027runMethod()\u0027 del lado de JavaScript. Cuando se pasa una entrada controlada por el usuario como nombre del m\u00e9todo, un atacante puede inyectar JavaScript arbitrario que se ejecuta en el navegador de la v\u00edctima. Adem\u00e1s, \u0027Element.run_method()\u0027 y \u0027Element.get_computed_prop()\u0027 usaban interpolaci\u00f3n de cadenas en lugar de \u0027json.dumps()\u0027 para el nombre del m\u00e9todo/propiedad, lo que permit\u00eda la inyecci\u00f3n de comillas para escapar del contexto de cadena previsto. La versi\u00f3n 3.8.0 contiene una correcci\u00f3n."
    }
  ],
  "id": "CVE-2026-27156",
  "lastModified": "2026-02-26T18:10:00.633",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-24T18:29:33.490",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.