CVE-2025-66469 | THREATINT

Description

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0.

PUBLISHED Reserved 2025-12-02 | Published 2025-12-08 | Updated 2025-12-09 | Assigner GitHub_M

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 3.4.0

affected

References

github.com/...icegui/security/advisories/GHSA-72qc-wxch-74mg exploit

github.com/...icegui/security/advisories/GHSA-72qc-wxch-74mg

github.com/...ommit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8

cve.org (CVE-2025-66469)

nvd.nist.gov (CVE-2025-66469)

Download JSON