CVE-2026-21874
MEDIUM EPSS 39.6%
Published Jan 8, 20265mo ago · Modified Jun 17, 20261w ago
5.3 CVSS 3.1
Published Jan 8, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago
Description
NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability Low
Threat Intelligence
EPSS Exploit Probability
39.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-772
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| zauberzeug | nicegui | * | ≥2.10.0 – <3.5.0 |
References 3
- github.com https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83
- github.com https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
- github.com https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2
Remediation
- github.com https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83