High severity7.5GHSA Advisory· Published Jun 2, 2026· Updated Jun 2, 2026
CVE-2026-45553
CVE-2026-45553
Description
NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.restructured_text() renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructured_text(), an attacker can use standard Docutils directives (include, csv-table with :file:, raw with :file:) to read local files readable by the NiceGUI server process. Applications that only pass trusted static strings to ui.restructured_text() are not affected. This issue has been patched in version 3.12.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
niceguiPyPI | < 3.12.0 | 3.12.0 |
Affected products
1- Range: <= 3.11.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.