CVE-2026-45553

Published: Giu 02, 2026 Last Modified: Giu 02, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,5

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: none

Availability: none

Description

AI Translation Available

NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.restructured_text() renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructured_text(), an attacker can use standard Docutils directives (include, csv-table with :file:, raw with :file:) to read local files readable by the NiceGUI server process. Applications that only pass trusted static strings to ui.restructured_text() are not affected. This issue has been patched in version 3.12.0.

200

Exposure of Sensitive Information to an Unauthorized Actor

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality

Potential Impacts:

Read Application Data

Applicable Platforms

Technologies: Not Technology-Specific, Web Based, Mobile

Likelihood of Exploit: High

View CWE Details

https://github.com/zauberzeug/nicegui/releases/tag/v3.12.0

https://github.com/zauberzeug/nicegui/security/advisories/G…

https://github.com/zauberzeug/nicegui/security/advisories/GHSA-jfrm-rx66-g536

CVE-2026-45553

Description

Exposure of Sensitive Information to an Unauthorized Actor

Common Consequences

Applicable Platforms

Iscriviti alla newsletter