NiceGUI is a Python‑based UI framework that renders reStructuredText on the server using Docutils. In versions prior to 3.12.0 the rendering function ui.restructured_text() does not disable file insertion directives. When an application processes attacker‑controlled content through this function, the embedded Docutils directives (include, csv-table :file:, raw :file:) allow the underlying server process to read any files it can access. The vulnerability therefore permits an attacker to disclose local files that are readable by the NiceGUI server process, which could contain sensitive configuration or credential information. This is a classic local file disclosure flaw identified as CWE‑200.

The vendor is zauberzeug's NiceGUI framework. All supported versions of NiceGUI older than 3.12.0 are affected. The issue was corrected in release v3.12.0, so applications using any prior version (e.g., 3.11.x or earlier releases) are at risk unless they restrict the input to trusted static strings as noted by the guidance.

The CVSS base score of 7.5 indicates the vulnerability has a medium to high severity. The EPSS score is not available, so the current exploitation probability is uncertain, and the vulnerability is not listed in the CISA KEV catalog. The attack is possible when an attacker can influence the data passed to ui.restructured_text(); the report implies an attacker could supply crafted reStructuredText content via any public endpoint that accepts user input. If the application exposes such endpoints, an attacker could obtain arbitrary local files from the server. While no public exploit is documented, the presence of file insertion directives makes exploitation straightforward for a skilled attacker.