CVE-2026-27156 Overview
NiceGUI is a Python-based UI framework that enables developers to create web interfaces using Python code. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements—including Element.run_method(), AgGrid.run_grid_method(), EChart.run_chart_method(), and others—use an eval() fallback in the JavaScript-side runMethod() function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, Element.run_method() and Element.get_computed_prop() used string interpolation instead of json.dumps() for the method/property name, allowing quote injection to break out of the intended string context.
Critical Impact
Attackers can execute arbitrary JavaScript in victim browsers through malicious method names, potentially leading to session hijacking, credential theft, and unauthorized actions on behalf of authenticated users.
Affected Products
- Zauberzeug NiceGUI versions prior to 3.8.0
Discovery Timeline
- 2026-02-24 - CVE CVE-2026-27156 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27156
Vulnerability Analysis
This Cross-Site Scripting (XSS) vulnerability exists in the NiceGUI framework's method execution architecture. The framework allows Python code to call JavaScript methods on client-side UI elements through functions like Element.run_method(). The vulnerable code path involves a JavaScript runMethod() function that attempts to locate and execute the specified method on target elements. When the method name isn't found as a direct property of the element, the code falls back to using eval() to execute the method name as arbitrary JavaScript code.
The vulnerability is compounded by improper string handling in the Python-side code. The Element.run_method() and Element.get_computed_prop() functions used Python f-string interpolation to embed the method name directly into the JavaScript string, rather than properly serializing it with json.dumps(). This allowed attackers to inject quote characters that break out of the string context, enabling arbitrary code execution even before reaching the eval() fallback.
Root Cause
The root cause is twofold: First, the use of eval() as a fallback mechanism in the JavaScript runMethod() function when a method name is not found on the target element. Second, improper input sanitization where method names were embedded using string interpolation (f'return runMethod({self.id}, "{name}", {json.dumps(args)})') instead of proper JSON serialization. This combination allows user-controlled method names to escape the string context and execute arbitrary JavaScript in the victim's browser.
Attack Vector
An attacker can exploit this vulnerability by supplying a malicious method name containing JavaScript code to any NiceGUI application that passes user-controlled input to element method execution functions. The attack is network-based and requires user interaction—the victim must visit a page containing the malicious payload or interact with a component that triggers the vulnerable code path. Due to the changed scope, successful exploitation can impact resources beyond the vulnerable component's security context.
# Vulnerable code pattern (Python side)
# Source: https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf
"""
if not core.loop:
return NullResponse()
- return self.client.run_javascript(f'return runMethod({self.id}, "{name}", {json.dumps(args)})', timeout=timeout)
+ return self.client.run_javascript(
+ f'return runMethod({self.id}, {json.dumps(name)}, {json.dumps(args)})', timeout=timeout,
+ )
def get_computed_prop(self, prop_name: str, *, timeout: float = 1) -> AwaitableResponse:
"""Return a computed property.
// Vulnerable code pattern (JavaScript side) - eval() fallback removed
// Source: https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf
if (typeof target === "object") {
if (method_name in target) {
return target[method_name](...args);
- } else {
- return eval(method_name)(target, ...args);
}
- }
- const element = getElement(target);
- if (element === null || element === undefined) return;
- if (method_name in element) {
- return element[method_name](...args);
- } else if (method_name in (element.$refs.qRef || [])) {
- return element.$refs.qRef[method_name](...args);
} else {
- return eval(method_name)(element, ...args);
+ const element = getElement(target);
+ if (element === null || element === undefined) return;
+ if (method_name in element) {
+ return element[method_name](...args);
+ } else if (method_name in (element.$refs.qRef || [])) {
+ return element.$refs.qRef[method_name](...args);
+ }
+ }
+ let msg = `Method "${method_name}" not found.`;
+ if (method_name.includes("=>") || method_name.startsWith("(")) {
+ msg += " To run arbitrary JavaScript, use ui.run_javascript() instead.";
}
+ logAndEmit("error", msg);
}
Detection Methods for CVE-2026-27156
Indicators of Compromise
- Unusual JavaScript execution patterns in browser developer console logs containing eval() calls with user-supplied strings
- HTTP requests containing JavaScript code fragments in parameters destined for NiceGUI method execution endpoints
- Browser-side error messages referencing unexpected method names containing arrow functions (=>) or parentheses
- Session cookie exfiltration attempts or unexpected outbound requests from client browsers
Detection Strategies
- Implement Content Security Policy (CSP) headers with script-src directives that prevent inline script execution and report violations
- Monitor web application firewall (WAF) logs for requests containing JavaScript syntax in method name parameters
- Deploy browser-based monitoring to detect unexpected eval() calls or DOM manipulation patterns
- Review application logs for method invocation errors with suspicious method names
Monitoring Recommendations
- Enable CSP reporting to receive notifications of blocked script execution attempts
- Configure centralized logging for all NiceGUI application server errors and client-side exceptions
- Implement real-time alerting for patterns consistent with XSS exploitation attempts
- Monitor for unusual client-side network requests that may indicate data exfiltration
How to Mitigate CVE-2026-27156
Immediate Actions Required
- Upgrade NiceGUI to version 3.8.0 or later immediately
- Audit application code for any usage of Element.run_method(), AgGrid.run_grid_method(), EChart.run_chart_method(), or Element.get_computed_prop() with user-controlled input
- Implement input validation and sanitization for any method names derived from user input
- Deploy Content Security Policy headers to mitigate potential exploitation of unpatched instances
Patch Information
Zauberzeug has released version 3.8.0 of NiceGUI which addresses this vulnerability. The fix removes the dangerous eval() fallback from the JavaScript runMethod() function and properly serializes method names using json.dumps() on the Python side. The patch is available through the GitHub Commit and details are documented in the GitHub Security Advisory GHSA-78qv-3mpx-9cqq.
Workarounds
- Avoid passing user-controlled input directly to method execution functions such as run_method(), run_grid_method(), or run_chart_method()
- Implement an allowlist of permitted method names and validate all input against this list before execution
- Use ui.run_javascript() directly with properly sanitized inputs when dynamic JavaScript execution is required
- Deploy strict Content Security Policy headers to limit the impact of any XSS exploitation
# Configuration example - Installing patched version
pip install --upgrade nicegui>=3.8.0
# Verify installed version
pip show nicegui | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
