Skip to main content

NiceGUI CVE-2026-45553

| EUVDEUVD-2026-33963 HIGH
Information Exposure (CWE-200)
2026-05-18 https://github.com/zauberzeug/nicegui GHSA-jfrm-rx66-g536
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 21:08 vuln.today
Analysis Generated
May 18, 2026 - 21:08 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on nicegui (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.12.0.

DescriptionGitHub Advisory

Summary

ui.restructured_text() renders reStructuredText server-side with Docutils without disabling file insertion directives.

When a NiceGUI application passes attacker-controlled content to ui.restructured_text(), an attacker can use standard Docutils directives (include, csv-table with :file:, raw with :file:) to read local files readable by the NiceGUI server process.

Applications that only pass trusted static strings to ui.restructured_text() are not affected.

Details

The affected component is the reStructuredText renderer:

  • File: nicegui/elements/restructured_text.py
  • Function: prepare_content()

prepare_content() renders user-supplied reStructuredText through Docutils:

python
html = publish_parts(
    remove_indentation(content),
    writer_name='html4',
    settings_overrides={'syntax_highlight': 'short'},
)

The Docutils call only sets syntax_highlight. It does not disable file insertion or raw directives, so Docutils processes directives that read local files and embed their contents into the generated HTML before it is returned to the browser. Frontend sanitization cannot prevent this because the file has already been read server-side.

A minimal vulnerable usage pattern is any page that forwards untrusted input into ui.restructured_text(), e.g. content taken from query parameters, form fields, or other user-controlled sources.

Impact

Local file disclosure. An attacker who can supply reStructuredText content can read files accessible to the NiceGUI server process. Depending on deployment, this may expose:

  • application .env files
  • database URLs, API tokens, session/storage secrets
  • OAuth or cloud credentials
  • Docker or Kubernetes mounted secrets
  • application source files
  • logs and other process-readable files

The confirmed impact is confidentiality loss through arbitrary local file read. Applications are only impacted when they pass untrusted or user-controlled reStructuredText into ui.restructured_text().

Recommended fix

Disable unsafe Docutils features in prepare_content():

python
html = publish_parts(
    remove_indentation(content),
    writer_name='html4',
    settings_overrides={
        'syntax_highlight': 'short',
        'file_insertion_enabled': False,
        'raw_enabled': False,
        '_disable_config': True,
    },
)

This blocks the include, csv-table :file:, and raw :file: directives as well as local docutils.conf overrides.

AnalysisAI

Local file disclosure in NiceGUI versions <= 3.11.1 allows remote unauthenticated attackers to read arbitrary files accessible to the server process when applications pass user-controlled content to ui.restructured_text(). The flaw stems from Docutils being invoked without disabling file-insertion directives (include, csv-table :file:, raw :file:), enabling exfiltration of secrets, credentials, and source code. No public exploit identified at time of analysis, but the vendor advisory provides full directive-level proof patterns.

Technical ContextAI

NiceGUI is a Python-based UI framework (pkg:pip/nicegui) that wraps a server-rendered web interface. The vulnerable function prepare_content() in nicegui/elements/restructured_text.py calls Docutils' publish_parts() with only syntax_highlight set, leaving file_insertion_enabled and raw_enabled at their permissive defaults. Docutils' reStructuredText parser supports directives such as .. include::, .. csv-table:: :file:, and .. raw:: html :file:, which open and embed local filesystem content at render time. This maps to CWE-200 (Exposure of Sensitive Information) via server-side directive processing; because the file is read before HTML reaches the browser, no client-side sanitizer or CSP can block it.

RemediationAI

Vendor-released patch: NiceGUI 3.12.0 - upgrade via pip install --upgrade nicegui>=3.12.0 per the GHSA-jfrm-rx66-g536 advisory. If immediate upgrade is not possible, the workaround is to stop passing any untrusted input to ui.restructured_text() (sanitize or hard-code the rstcontent) or monkey-patch prepare_content() to call publish_parts with settings_overrides including file_insertion_enabled=False, raw_enabled=False, and _disable_config=True - this disables the include, csv-table :file:, and raw :file: directives and prevents local docutils.conf overrides, with the trade-off that legitimate file-include directives in trusted documents will also stop working. As a deployment-layer compensating control, run the NiceGUI process under a least-privileged user account in a chrooted/containerized filesystem so that even if exploitation occurs, sensitive files like .env, cloud credentials, and mounted Kubernetes secrets are not readable; note this does not eliminate the vulnerability and may break apps that rely on broader filesystem access.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-45553 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy