NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.restructured_text() renders reStructuredText server-side with Docutils without disabling fil…

CVE-2026-45553 affects NiceGUI, a Python-based UI framework, in versions prior to 3.12.0. The vulnerability exists in the ui.restructured_text() function which renders reStructuredText server-side using Docutils without properly disabling file insertion directives. Attackers can exploit this by passing malicious content to ui.restructured_text() and using standard Docutils directives (include, csv-table with :file:, raw with :file:) to read local files accessible to the NiceGUI server process. Applications that only use trusted static strings with ui.restructured_text() are not affected. The vulnerability has been patched in version 3.12.0.