Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1858

NIXPKGS-2026-1858
published on
Permalink CVE-2026-45553
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 8 hours ago by @LeSuisse Activity log
  • Created suggestion 12 hours ago
  • @LeSuisse ignored
    3 packages
    • python312Packages.nicegui-highcharts
    • python314Packages.nicegui-highcharts
    • python313Packages.nicegui-highcharts
    8 hours ago
  • @LeSuisse accepted 8 hours ago
  • @LeSuisse published on GitHub 8 hours ago
NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()

NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.restructured_text() renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructured_text(), an attacker can use standard Docutils directives (include, csv-table with :file:, raw with :file:) to read local files readable by the NiceGUI server process. Applications that only pass trusted static strings to ui.restructured_text() are not affected. This issue has been patched in version 3.12.0.

Affected products

nicegui
  • ==< 3.12.0

Matching in nixpkgs

Ignored packages (3)

Package maintainers