NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.restructured_text() renders reStructuredText server-side with Docutils without disabling fil…

NiceGUI Python UI framework versions prior to 3.12.0 contain a vulnerability in ui.restructured_text() function that renders reStructuredText server-side with Docutils without disabling file insertion directives. Attackers can exploit this by passing malicious content to read local files accessible to the NiceGUI server process through standard Docutils directives including include, csv-table with :file:, and raw with :file: options. The vulnerability only affects applications that pass attacker-controlled content to ui.restructured_text(), while applications using only trusted static strings remain unaffected. This issue has been patched in version 3.12.0.