{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/docutils/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nicegui (\u003c= 3.11.1)"],"_cs_severities":["high"],"_cs_tags":["local-file-disclosure","nicegui","docutils","CVE-2026-45553"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eA local file disclosure vulnerability exists in the NiceGUI library, specifically affecting applications that utilize the \u003ccode\u003eui.restructured_text()\u003c/code\u003e function with untrusted input. When a NiceGUI application passes attacker-controlled reStructuredText content to the \u003ccode\u003eui.restructured_text()\u003c/code\u003e function, it\u0026rsquo;s possible for an attacker to inject malicious Docutils directives to read arbitrary local files accessible to the NiceGUI server process. The vulnerability lies in the server-side rendering of reStructuredText using Docutils without proper sanitization or disabling of file insertion directives. This issue affects NiceGUI versions 3.11.1 and earlier and is identified as CVE-2026-45553. Successful exploitation allows attackers to potentially access sensitive information such as application \u003ccode\u003e.env\u003c/code\u003e files, database URLs, API tokens, and source code.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a NiceGUI application that uses the \u003ccode\u003eui.restructured_text()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker finds an input field (e.g., form field, query parameter) that passes data to \u003ccode\u003eui.restructured_text()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious reStructuredText content containing a file inclusion directive, such as \u003ccode\u003e.. include:: /etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the identified input field.\u003c/li\u003e\n\u003cli\u003eThe NiceGUI server processes the reStructuredText content via Docutils, rendering the injected directive.\u003c/li\u003e\n\u003cli\u003eDocutils reads the specified local file (\u003ccode\u003e/etc/passwd\u003c/code\u003e in this example) from the server\u0026rsquo;s filesystem.\u003c/li\u003e\n\u003cli\u003eThe content of the file is embedded into the generated HTML output.\u003c/li\u003e\n\u003cli\u003eThe attacker views the application, revealing the contents of the targeted local file in the HTML.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-45553) allows an attacker to read arbitrary files on the server\u0026rsquo;s filesystem, provided the NiceGUI server process has the necessary permissions. This can lead to the disclosure of sensitive information, including application configuration files (\u003ccode\u003e.env\u003c/code\u003e), database credentials, API keys, session secrets, OAuth credentials, Docker/Kubernetes secrets, and application source code. The vulnerability can result in significant confidentiality loss and potentially compromise the entire application or infrastructure. Applications are only vulnerable when they pass untrusted or user-controlled reStructuredText input to the \u003ccode\u003eui.restructured_text()\u003c/code\u003e function.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to NiceGUI version 3.11.2 or later, which includes the recommended fix to disable unsafe Docutils features.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect NiceGUI RCE Attempts via Restructured Text\u003c/code\u003e to monitor for exploitation attempts by detecting the presence of file inclusion directives in HTTP requests to NiceGUI applications.\u003c/li\u003e\n\u003cli\u003eApply the remediation steps outlined in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-jfrm-rx66-g536\"\u003ehttps://github.com/advisories/GHSA-jfrm-rx66-g536\u003c/a\u003e) which disables file insertion and raw directives in the Docutils configuration.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, sanitize user-supplied input before passing it to \u003ccode\u003eui.restructured_text()\u003c/code\u003e to remove or escape potentially malicious reStructuredText directives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T20:22:41Z","date_published":"2026-05-18T20:22:41Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nicegui-lfd/","summary":"CVE-2026-45553 allows a remote attacker to read arbitrary local files by injecting reStructuredText directives into the `ui.restructured_text()` function of a NiceGUI application, if the application passes user-controlled content to that function.","title":"NiceGUI Local File Disclosure via Docutils File Insertion (CVE-2026-45553)","url":"https://feed.craftedsignal.io/briefs/2026-05-nicegui-lfd/"}],"language":"en","title":"CraftedSignal Threat Feed — Docutils","version":"https://jsonfeed.org/version/1.1"}