Publish GHSA-78qv-3mpx-9cqq

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-78qv-3mpx-9cqq/GHSA-78qv-3mpx-9cqq.json

@@ -0,0 +1,72 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-78qv-3mpx-9cqq",
+  "modified": "2026-02-24T19:56:18Z",
+  "published": "2026-02-24T19:56:18Z",
+  "aliases": [
+    "CVE-2026-27156"
+  ],
+  "summary": "NiceGUI vulnerable to XSS via Code Injection during client-side element function execution",
+  "details": "### Summary\n\nSeveral NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser.\n\nAdditionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context.\n\n### Attack Vector\n\nAn attacker crafts a malicious URL with a payload as a query parameter. If the application passes this parameter as a method name to any of the affected APIs, the payload is sent to the client via WebSocket and executed via `eval()`.\n\n**Example:** `/?method=alert(document.cookie)` combined with application code like:\n```python\nelement.run_method(user_provided_method_name)\n```\n\n### Impact\n\n- Cookie/token theft\n- DOM manipulation (phishing, fake login forms)\n- Actions performed as the victim user\n\n### Affected Methods\n\n1. `Element.run_method()`\n2. `Element.get_computed_prop()`\n3. `AgGrid.run_grid_method()`\n4. `AgGrid.run_row_method()`\n5. `EChart.run_chart_method()`\n6. `JsonEditor.run_editor_method()`\n7. `Xterm.run_terminal_method()`\n8. `Leaflet.run_map_method()`\n9. `Leaflet.run_layer_method()`\n10. `LeafletLayer.run_method()`\n\n### Fix\n\n1. Use `json.dumps()` for proper escaping of method/property names in `run_method()` and `get_computed_prop()`\n2. Remove the `eval()` fallback from `runMethod()` in `nicegui.js` — method names that are not found on the element now raise an error instead of being evaluated as arbitrary JavaScript\n\n### Migration\n\nCode that previously passed JavaScript functions as method names needs to use `ui.run_javascript()` instead:\n\n```python\n# Before:\nrow = await grid.run_grid_method('g => g.getDisplayedRowAtIndex(0).data')\n\n# After:\nrow = await ui.run_javascript(f'return getElement({grid.id}).api.getDisplayedRowAtIndex(0).data')\n```",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "nicegui"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.8.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.7.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-78qv-3mpx-9cqq"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27156"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/zauberzeug/nicegui"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-24T19:56:18Z",
+    "nvd_published_at": "2026-02-24T18:29:33Z"
+  }
+}