External Control of File Name or Path Affecting nicegui package, versions [,3.12.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-NICEGUI-16757863
- published19 May 2026
- disclosed18 May 2026
- creditdennyabrahamsinaga, Rohit Prasanth
Introduced: 18 May 2026
NewCVE-2026-45553 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade nicegui to version 3.12.0 or higher.
Overview
nicegui is a Create web-based user interfaces with Python. The nice way.
Affected versions of this package are vulnerable to External Control of File Name or Path via the prepare_content function. An attacker can access sensitive local files readable by the server by supplying specially crafted reStructuredText content that leverages Docutils directives such as include, csv-table with :file:, or raw with :file:.
Note: This is only exploitable if untrusted or user-controlled input is passed into ui.restructured_text().