AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-78qv-3mpx-9cqq: NiceGUI vulnerable to XSS via Code Injection during client-side element function execution

highvulnerability

security

Source: GitHub Advisory DatabaseFebruary 24, 2026CVE-2026-27156

Summary

NiceGUI has a cross-site scripting (XSS) vulnerability where several APIs that run methods on client-side elements use an unsafe `eval()` function (which executes arbitrary code from a string), allowing attackers to inject malicious JavaScript through user input like URL parameters. Additionally, some methods use string interpolation instead of proper escaping, making it easier for attackers to break out of intended contexts and inject code that can steal cookies, manipulate the page, or perform actions as the victim.

Solution / Mitigation

Use `json.dumps()` for proper escaping of method and property names in `run_method()` and `get_computed_prop()`, and remove the `eval()` fallback from the `runMethod()` function in `nicegui.js` so that invalid method names raise an error instead of being executed as code. Code that previously relied on passing JavaScript functions as method names should use `ui.run_javascript()` instead, for example: `row = await ui.run_javascript(f'return getElement({grid.id}).api.getDisplayedRowAtIndex(0).data')` instead of `row = await grid.run_grid_method('g => g.getDisplayedRowAtIndex(0).data')`.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationTrivial

Affected Packages

nicegui@<= 3.7.1 (fixed: 3.8.0)

Original source: https://github.com/advisories/GHSA-78qv-3mpx-9cqq

First tracked: February 24, 2026 at 03:00 PM

Classified by LLM (prompt v3) · confidence: 95%