NiceGUI's XSS vulnerability in ui.markdown() allows arbitrary JavaScript execution through unsanitized HTML content

Description

Description

The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers.

Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks.

Proof of Concept

from nicegui import ui

# User-controlled input containing malicious payload
user_input = 'Hello! <img src=x onerror="alert(\'XSS\')">'

ui.markdown(user_input)  # XSS executes when page loads

ui.run()

When this page loads, the JavaScript in the onerror handler executes, potentially allowing an attacker to:
- Steal session cookies or authentication tokens
- Perform actions on behalf of the user
- Redirect users to malicious sites
- Modify page content

Impact

Applications that render user-provided content through ui.markdown() are vulnerable to stored or reflected XSS attacks. This is particularly concerning for:
- Chat applications displaying user messages
- CMS or documentation systems with user-editable content
- Any application that displays markdown from untrusted sources

Remediation

A release has been published in version 3.7.0.

For Users (Immediate Workaround)

Until a fix is released, do not pass untrusted content directly to ui.markdown(). Instead, use one of these approaches:

Option 1: Convert and sanitize manually using ui.html()

import markdown2
from html_sanitizer import Sanitizer

sanitizer = Sanitizer()

def safe_markdown(content: str) -> None:
    """Render markdown with HTML sanitization."""
    html = markdown2.markdown(content)
    ui.html(sanitizer.sanitize(html), sanitize=False)

# Usage
safe_markdown(user_input)

Option 2: Escape HTML before markdown conversion (if raw HTML not needed)

import html

# Escape HTML entities - prevents any HTML from being interpreted
ui.markdown(html.escape(user_input))

Proposed Fix

Add a sanitize parameter to ui.markdown() consistent with other HTML-rendering components, and/or add an escape_html parameter.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-02-05 17:41:17 UTC
Updated
2026-02-07 00:31:34 UTC
GitHub reviewed
2026-02-05 17:41:17 UTC
NVD published
2026-02-06

EPSS Score

Score Percentile
0.02% 5.55%

CVSS Scores

Base score Version Severity Vector
6.1 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits

  • falkoschindler (remediation_developer)
  • evnchn (remediation_reviewer)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip nicegui <= 3.6.1 3.7.0

References

cvelogic Threat Intelligence