Dennyabrahamsinaga

**Name of the Vulnerable Software and Affected Versions** NiceGUI (affected versions not specified) **Description** The `ui.restructured text()` function renders reStructuredText server-side using Docutils without disabling file insertion directives. When attacker-controlled content is passed to this function, an attacker can use standard Docutils directives such as `include`, `csv-table` with `:file:`, or `raw` with `:file:` to read local files accessible by the server process. This occurs within the `prepare content()` function located in `nicegui/elements/restructured text.py`, which fails to disable file insertion or raw directives during the rendering process. This can lead to the disclosure of sensitive information, including environment files, database URLs, API tokens, and source files. **Recommendations** Disable unsafe Docutils features in the `prepare content()` function by setting `file insertion enabled` to `False`, `raw enabled` to `False`, and ` disable config` to `True` within the `settings overrides` parameter. As a temporary workaround, avoid passing untrusted or user-controlled input into the `ui.restructured text()` function.