CVE-2026-45553: NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()
(updated )
ui.restructured_text() renders reStructuredText server-side with Docutils without disabling file insertion directives.
When a NiceGUI application passes attacker-controlled content to ui.restructured_text(), an attacker can use standard Docutils directives (include, csv-table with :file:, raw with :file:) to read local files readable by the NiceGUI server process.
Applications that only pass trusted static strings to ui.restructured_text() are not affected.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-45553 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →