CVE-2025-53354: NiceGUI is vulnerable to Reflected XSS attack

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-53354

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

NiceGUI is vulnerable to Reflected XSS attack

Source: NVD (National Vulnerability Database)

Vulnerability Description

NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting (XSS) when developers render unescaped user input into the DOM using ui.html(). NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.input() with ui.html() or ui.chat_message with HTML content without escaping may allow attackers to execute arbitrary JavaScript in the user’s browser. Applications that do not pass untrusted input into ui.html() are not affected. This issue is fixed in version 3.0.0.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Source: NVD (National Vulnerability Database)

Vulnerability Title

NiceGUI 跨站脚本漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

NiceGUI是NiceGUI开源的一个易于使用、基于 Python 的 UI 框架。 NiceGUI 2.24.2及之前版本存在跨站脚本漏洞，该漏洞源于未强制进行HTML或JavaScript清理，可能导致跨站脚本攻击。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
zauberzeug	nicegui	< 3.0.0	-

II. Public POCs for CVE-2025-53354

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-53354

Please Login to view more intelligence information

https://github.com/zauberzeug/nicegui/security/advisories/GHSA-8c95-hpq2-w46fx_refsource_CONFIRM
https://github.com/zauberzeug/nicegui/commit/4673dc35c94a0c7339e2164378b0977332e60775x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2025-53354

IV. Related Vulnerabilities

Same product: nicegui

Same vendor: zauberzeug

Same weakness: CWE-79

V. Comments for CVE-2025-53354

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2025-53354

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-53354

III. Intelligence Information for CVE-2025-53354

IV. Related Vulnerabilities

V. Comments for CVE-2025-53354

Leave a comment