SCA: security update for nicegui (GHSA-v82v-c5x8-w282)

medium Tenable Self-Hosted Container Security Plugin ID 437574

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert
markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to
pass through unchanged. This means that if an application renders user-controlled content through
ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other
NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the
ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable
to XSS attacks. This vulnerability is fixed in 3.7.0. (CVE-2026-25516)

See Also

https://github.com/advisories/GHSA-v82v-c5x8-w282

Plugin Details

Severity: Medium

ID: 437574

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 2/5/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.42

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-25516

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/5/2026

Vulnerability Publication Date: 2/5/2026

Reference Information

CVE: CVE-2026-25516

cwe: CWE-79