EUVD-2026-33963

NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.restructuredtext renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructuredtext, an attacker can use standard...

GHSA-JFRM-RX66-G536 NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()

Summary ui.restructuredtext renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructuredtext, an attacker can use standard Docutils directives include, csv-table with :file:, raw wi...

External Control of File Name or Path

Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to External Control of File Name or Path via the preparecontent function. An attacker can access sensitive local files readable by the server by supplying specially...

CVE-2026-3312

A flaw was found in Pagure's rendering engine for reStructuredText RST files. An authenticated user can exploit an unrestricted .. include:: directive within RST files to read arbitrary internal files from the server hosting Pagure. This information disclosure vulnerability allows unauthorized...

CVE-2021-28793

vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration...

EUVD-2021-15450

Malware in sbrugna...

EUVD-2006-0007

Malware in sbrugna...

EUVD-2005-3322

Malware in sbrugna...

[SECURITY] Fedora 38 Update: python-nikola-8.3.0-1.fc38

Nikola is a static site and blog generator using Python. It generates sites with tags, feeds, archives, comments, and more from plain text files. Source can be unformatted, or formatted with reStructuredText or Markdown. It also automatically builds image galleries...

SUSE CVE-2005-3323

docutils in Zope 2.6, 2.7 before 2.7.8, and 2.8 before 2.8.2 allows remote attackers to include arbitrary files via include directives in RestructuredText functionality...

SUSE CVE-2006-3458

Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 Zope2 does not disable the "raw" command when providing untrusted users with restructured text reStructuredText functionality from docutils, which allows local users to read arbitrary files...

GHSA-M9J7-XCJ7-42J9 MoinMoin Cross-site Scripting (XSS) vulnerability

Cross-site scripting XSS vulnerability in the reStructuredText rst parser in parser/textrst.py in MoinMoin before 1.9.3, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the refuri attribute. NOTE: some...

MoinMoin Cross-site Scripting (XSS) vulnerability

Cross-site scripting XSS vulnerability in the reStructuredText rst parser in parser/textrst.py in MoinMoin before 1.9.3, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the refuri attribute. NOTE: some...

GHSA-HM8G-JXJJ-GFM3 Zope allows remote attackers to read arbitrary files

The docutils module in Zope Zope2 2.7.0 through 2.7.9 and 2.8.0 through 2.8.8 does not properly handle web pages with reStructuredText reST markup, which allows remote attackers to read arbitrary files via a csvtable directive, a different vulnerability than CVE-2006-3458...

Trac reStructuredText breach of privacy and denial of service vulnerability

Trac before 0.9.6 does not disable the "raw" or "include" commands when providing untrusted users with restructured text reStructuredText functionality from docutils, which allows remote attackers to read arbitrary files, perform cross-site scripting XSS attacks, or cause a denial of service via...

GHSA-R524-C2GF-5CHR Trac reStructuredText breach of privacy and denial of service vulnerability

Trac before 0.9.6 does not disable the "raw" or "include" commands when providing untrusted users with restructured text reStructuredText functionality from docutils, which allows remote attackers to read arbitrary files, perform cross-site scripting XSS attacks, or cause a denial of service via...

Zope allows local users to read arbitrary files

Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 Zope2 does not disable the "raw" command when providing untrusted users with restructured text reStructuredText functionality from docutils, which allows local users to read arbitrary files...

Fedora: Security Advisory for pandoc (FEDORA-2022-1f981071eb)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Incorrect Permission Assignment for Critical Resource in Plone

Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script...

GHSA-HM2P-FHWX-9285 Incorrect Permission Assignment for Critical Resource in Plone

Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script...