CVE-2026-21874

MEDIUM EPSS 39.6%
Published Jan 8, 20265mo ago · Modified Jun 17, 20261w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Jan 8, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.

CVSS Details

Base Score
5.3
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability Low

Threat Intelligence

EPSS Exploit Probability
39.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-772

Affected Products 1

VendorProductVersionRange
zauberzeugnicegui*≥2.10.0  –  <3.5.0

References 3

  • github.com https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83
    Patch
  • github.com https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
    Release Notes
  • github.com https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83
    Patch