CVE-2025-66469 — NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Inje · VulnScope
`), allowing for the execution of arbitrary JavaScript.\n\n### Details\nThe vulnerability stems from how these functions inject content into the DOM using `client.run_javascript` (or `add_head_html` internally) without sufficient escaping for the transport layer.\n\n* **`ui.add_css`**: Injects content into a `` closes the tag prematurely, allowing subsequent HTML/JS injection.\n* **`ui.add_scss` / `ui.add_sass`**: These rely on client-side compilation within `` breaks the execution context, allowing XSS.\n\n### PoC\n**Scenario:** A developer allows users to customize a theme color via a URL parameter.\n\n```python\nfrom nicegui import ui\n\[email protected]('/')\ndef main(color: str = 'blue'):\n # Vulnerable implementation of dynamic theming\n ui.add_css(f'.q-btn {{ background-color: {color} !important; }}')\n ui.button('Click Me')\n\nui.run(port=8082)\n```\n**Attack Vector:**\nAccessing the following URL executes arbitrary JavaScript:\n`http://localhost:8082/?color=red;}