Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/24484?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/24484?format=api", "purl": "pkg:pypi/gradio@0.9.9.2", "type": "pypi", "namespace": "", "name": "gradio", "version": "0.9.9.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.7.0", "latest_non_vulnerable_version": "6.7.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9232?format=api", "vulnerability_id": "VCID-135r-znhp-5yge", "summary": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **timing attack** in the way Gradio compares hashes for the `analytics_dashboard` function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte. This can lead to unauthorized access to the analytics dashboard, especially if the attacker can repeatedly query the system with different keys. Users are advised to upgrade to `gradio>4.44` to mitigate this issue. To mitigate the risk before applying the patch, developers can manually patch the `analytics_dashboard` dashboard to use a **constant-time comparison** function for comparing sensitive values, such as hashes. Alternatively, access to the analytics dashboard can be disabled.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47869", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36447", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47869" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-j757-pf57-f8r4", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:08:36Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-j757-pf57-f8r4" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-199.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-199.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47869", "reference_id": "CVE-2024-47869", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47869" }, { "reference_url": "https://github.com/advisories/GHSA-j757-pf57-f8r4", "reference_id": "GHSA-j757-pf57-f8r4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j757-pf57-f8r4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42580?format=api", "purl": "pkg:pypi/gradio@4.44.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-r5mb-vhku-5bbr" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.44.0" } ], "aliases": [ "CVE-2024-47869", "GHSA-j757-pf57-f8r4", "PYSEC-2024-199" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-135r-znhp-5yge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9555?format=api", "vulnerability_id": "VCID-17vf-h543-33ch", "summary": "Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28414", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04212", "scoring_system": "epss", "scoring_elements": "0.88928", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28414" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/6011b00d0154b85532fa901dd73cf8fa7d86fd04", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/commit/6011b00d0154b85532fa901dd73cf8fa7d86fd04" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T22:02:06Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28414", "reference_id": "CVE-2026-28414", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28414" }, { "reference_url": "https://github.com/advisories/GHSA-39mp-8hj3-5c49", "reference_id": "GHSA-39mp-8hj3-5c49", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-39mp-8hj3-5c49" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47203?format=api", "purl": "pkg:pypi/gradio@6.7.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@6.7.0" } ], "aliases": [ "CVE-2026-28414", "GHSA-39mp-8hj3-5c49", "PYSEC-2026-64" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-17vf-h543-33ch" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/266102?format=api", "vulnerability_id": "VCID-2968-zwkj-tka2", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-48052", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00125", "scoring_system": "epss", "scoring_elements": "0.3141", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-48052" }, { "reference_url": "https://gist.github.com/AfterSnows/45ffc23797f9127e00755376cc610e12", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:19:51Z/" } ], "url": "https://gist.github.com/AfterSnows/45ffc23797f9127e00755376cc610e12" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48052", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48052" }, { "reference_url": "https://rumbling-slice-eb0.notion.site/FULL-SSRF-in-gr-DownloadButton-in-gradio-app-gradio-870b21e0908b48cbafd914719ac1a4e6?pvs=4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:19:51Z/" } ], "url": "https://rumbling-slice-eb0.notion.site/FULL-SSRF-in-gr-DownloadButton-in-gradio-app-gradio-870b21e0908b48cbafd914719ac1a4e6?pvs=4" }, { "reference_url": "https://github.com/advisories/GHSA-3gf9-wv65-gwh9", "reference_id": "GHSA-3gf9-wv65-gwh9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3gf9-wv65-gwh9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42579?format=api", "purl": "pkg:pypi/gradio@4.43.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-r5mb-vhku-5bbr" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.43.0" } ], "aliases": [ "CVE-2024-48052", "GHSA-3gf9-wv65-gwh9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2968-zwkj-tka2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19710?format=api", "vulnerability_id": "VCID-38nv-9rjy-2bfp", "summary": "Cross-Site Request Forgery in Gradio\nA Cross-Site Request Forgery gives attackers the ability to upload many large files to a victim, if they are running Gradio locally. To resolve this a PR tightening the CORS rules around Gradio applications has been submitted. In particular, it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of its aliases) as well.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1727", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35382", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1727" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-25T16:25:33Z/" } ], "url": "https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a" }, { "reference_url": "https://github.com/gradio-app/gradio/pull/7503", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/pull/7503" }, { "reference_url": "https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-25T16:25:33Z/" } ], "url": "https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1727", "reference_id": "CVE-2024-1727", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1727" }, { "reference_url": "https://github.com/advisories/GHSA-3x9g-xfj5-fq84", "reference_id": "GHSA-3x9g-xfj5-fq84", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3x9g-xfj5-fq84" }, { "reference_url": "https://github.com/advisories/GHSA-48cq-79qq-6f7x", "reference_id": "GHSA-48cq-79qq-6f7x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-48cq-79qq-6f7x" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-48cq-79qq-6f7x", "reference_id": "GHSA-48cq-79qq-6f7x", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-48cq-79qq-6f7x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39837?format=api", "purl": "pkg:pypi/gradio@4.19.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.19.2" } ], "aliases": [ "CVE-2024-1727", "GHSA-3x9g-xfj5-fq84", "GHSA-48cq-79qq-6f7x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-38nv-9rjy-2bfp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8724?format=api", "vulnerability_id": "VCID-4v1z-hd63-4fc6", "summary": "Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25823", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00408", "scoring_system": "epss", "scoring_elements": "0.61474", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25823" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-3x5j-9vwr-8rr5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:56:59Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-3x5j-9vwr-8rr5" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-16.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-16.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25823", "reference_id": "CVE-2023-25823", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25823" }, { "reference_url": "https://github.com/advisories/GHSA-3x5j-9vwr-8rr5", "reference_id": "GHSA-3x5j-9vwr-8rr5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3x5j-9vwr-8rr5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30860?format=api", "purl": "pkg:pypi/gradio@3.13.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-38nv-9rjy-2bfp" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-83yw-mt71-tyeq" }, { "vulnerability": "VCID-8bv8-xgvg-6kf9" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-aue3-ymt4-nqen" }, { "vulnerability": "VCID-c7fg-xz7c-fyhg" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fcry-haph-rkgh" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghvm-1968-qubu" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-hhz7-44uh-yucs" }, { "vulnerability": "VCID-kmrx-ftzg-5qe7" }, { "vulnerability": "VCID-mrwe-sxue-pbcg" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-u38g-qy2t-67h2" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-xffe-brwp-6yea" }, { "vulnerability": "VCID-z72y-7um8-p3dj" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@3.13.1" } ], "aliases": [ "CVE-2023-25823", "GHSA-3x5j-9vwr-8rr5", "PYSEC-2023-16" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4v1z-hd63-4fc6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9226?format=api", "vulnerability_id": "VCID-77wy-te8b-9qgc", "summary": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to **CORS origin validation**, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio server. Potentially, attackers can upload files, steal authentication tokens, and access user data if the victim visits a malicious website while logged into Gradio. This impacts users who have deployed Gradio locally and use basic authentication. Users are advised to upgrade to `gradio>4.44` to address this issue. As a workaround, users can manually enforce stricter CORS origin validation by modifying the `CustomCORSMiddleware` class in their local Gradio server code. Specifically, they can bypass the condition that skips CORS validation for requests containing cookies to prevent potential exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47084", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.3351", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47084" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-3c67-5hwx-f6wx", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:23:34Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-3c67-5hwx-f6wx" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-196.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-196.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47084", "reference_id": "CVE-2024-47084", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47084" }, { "reference_url": "https://github.com/advisories/GHSA-3c67-5hwx-f6wx", "reference_id": "GHSA-3c67-5hwx-f6wx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3c67-5hwx-f6wx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42580?format=api", "purl": "pkg:pypi/gradio@4.44.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-r5mb-vhku-5bbr" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.44.0" } ], "aliases": [ "CVE-2024-47084", "GHSA-3c67-5hwx-f6wx", "PYSEC-2024-196" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-77wy-te8b-9qgc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9135?format=api", "vulnerability_id": "VCID-7my4-fvg8-kqhw", "summary": "A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gradio/components/json_component.py`, where a user-controlled string is parsed as JSON. If the parsed JSON object contains a `path` key, the specified file is moved to a temporary directory, making it possible to retrieve it later via the `/file=..` endpoint. This issue is due to the `processing_utils.move_files_to_cache()` function traversing any object passed to it, looking for a dictionary with a `path` key, and then copying the specified file to a temporary directory. The vulnerability can be exploited by an attacker to read files on the remote system, posing a significant security risk.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4941", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00686", "scoring_system": "epss", "scoring_elements": "0.72035", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4941" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/ee1e2942e0a1ae84a08a05464e41c8108a03fa9c", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T18:13:53Z/" } ], "url": "https://github.com/gradio-app/gradio/commit/ee1e2942e0a1ae84a08a05464e41c8108a03fa9c" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-184.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-184.yaml" }, { "reference_url": "https://huntr.com/bounties/39889ce1-298d-4568-aecd-7ae40c2ca58e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T18:13:53Z/" } ], "url": "https://huntr.com/bounties/39889ce1-298d-4568-aecd-7ae40c2ca58e" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4941", "reference_id": "CVE-2024-4941", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4941" }, { "reference_url": "https://github.com/advisories/GHSA-6v6g-j5fq-hpvw", "reference_id": "GHSA-6v6g-j5fq-hpvw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6v6g-j5fq-hpvw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40106?format=api", "purl": "pkg:pypi/gradio@4.31.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.31.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/40107?format=api", "purl": "pkg:pypi/gradio@4.31.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.31.4" } ], "aliases": [ "CVE-2024-4941", "GHSA-6v6g-j5fq-hpvw", "PYSEC-2024-184" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7my4-fvg8-kqhw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9557?format=api", "vulnerability_id": "VCID-7qyj-s1nm-ekay", "summary": "Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28416.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28416.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28416", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04944", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28416" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/fc7c01ea1e581ef70be98fddf003b0c91315c7cc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/commit/fc7c01ea1e581ef70be98fddf003b0c91315c7cc" }, { "reference_url": "https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:59:31Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443453", "reference_id": "2443453", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443453" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28416", "reference_id": "CVE-2026-28416", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28416" }, { "reference_url": "https://github.com/advisories/GHSA-jmh7-g254-2cq9", "reference_id": "GHSA-jmh7-g254-2cq9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jmh7-g254-2cq9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47202?format=api", "purl": "pkg:pypi/gradio@6.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@6.6.0" } ], "aliases": [ "CVE-2026-28416", "GHSA-jmh7-g254-2cq9", "PYSEC-2026-66" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7qyj-s1nm-ekay" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8795?format=api", "vulnerability_id": "VCID-83yw-mt71-tyeq", "summary": "Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34239", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0028", "scoring_system": "epss", "scoring_elements": "0.51571", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34239" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a#diff-324a7165f5d5a8823a28b76f5653fa45f32c8144c82b2e528882c97c7eae534f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a#diff-324a7165f5d5a8823a28b76f5653fa45f32c8144c82b2e528882c97c7eae534f" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/cd64130d54e678525774bbb200ef9c7166fa1543", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/commit/cd64130d54e678525774bbb200ef9c7166fa1543" }, { "reference_url": "https://github.com/gradio-app/gradio/pull/4370", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T20:33:03Z/" } ], "url": "https://github.com/gradio-app/gradio/pull/4370" }, { "reference_url": "https://github.com/gradio-app/gradio/pull/4406", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T20:33:03Z/" } ], "url": "https://github.com/gradio-app/gradio/pull/4406" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T20:33:03Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-90.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-90.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34239", "reference_id": "CVE-2023-34239", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34239" }, { "reference_url": "https://github.com/advisories/GHSA-3qqg-pgqq-3695", "reference_id": "GHSA-3qqg-pgqq-3695", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3qqg-pgqq-3695" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32888?format=api", "purl": "pkg:pypi/gradio@3.34.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-38nv-9rjy-2bfp" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8bv8-xgvg-6kf9" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-aue3-ymt4-nqen" }, { "vulnerability": "VCID-c7fg-xz7c-fyhg" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fcry-haph-rkgh" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghvm-1968-qubu" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-hhz7-44uh-yucs" }, { "vulnerability": "VCID-kmrx-ftzg-5qe7" }, { "vulnerability": "VCID-mrwe-sxue-pbcg" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-u38g-qy2t-67h2" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-xffe-brwp-6yea" }, { "vulnerability": "VCID-z72y-7um8-p3dj" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@3.34.0" } ], "aliases": [ "CVE-2023-34239", "GHSA-3qqg-pgqq-3695", "PYSEC-2023-90" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-83yw-mt71-tyeq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19768?format=api", "vulnerability_id": "VCID-8bv8-xgvg-6kf9", "summary": "gradio Server-Side Request Forgery vulnerability\nThe /proxy route allows a user to proxy arbitrary urls including potential internal endpoints.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2206", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00131", "scoring_system": "epss", "scoring_elements": "0.32247", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2206" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/49d9c48537aa706bf72628e3640389470138bdc6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-20T18:26:27Z/" } ], "url": "https://github.com/gradio-app/gradio/commit/49d9c48537aa706bf72628e3640389470138bdc6" }, { "reference_url": "https://huntr.com/bounties/2286c1ed-b889-45d6-adda-7014ea06d98e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-20T18:26:27Z/" } ], "url": "https://huntr.com/bounties/2286c1ed-b889-45d6-adda-7014ea06d98e" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2206", "reference_id": "CVE-2024-2206", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2206" }, { "reference_url": "https://github.com/advisories/GHSA-r364-m2j9-mf4h", "reference_id": "GHSA-r364-m2j9-mf4h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r364-m2j9-mf4h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39834?format=api", "purl": "pkg:pypi/gradio@4.18.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-38nv-9rjy-2bfp" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fcry-haph-rkgh" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghvm-1968-qubu" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kmrx-ftzg-5qe7" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.18.0" } ], "aliases": [ "CVE-2024-2206", "GHSA-r364-m2j9-mf4h" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8bv8-xgvg-6kf9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/243251?format=api", "vulnerability_id": "VCID-8n3u-687v-2feg", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12217", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00324", "scoring_system": "epss", "scoring_elements": "0.55675", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12217" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/blob/67e4044c9ca8358eceeb1fa72fa415df03397d20/gradio/utils.py#L1061-L1074", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/blob/67e4044c9ca8358eceeb1fa72fa415df03397d20/gradio/utils.py#L1061-L1074" }, { "reference_url": "https://huntr.com/bounties/0439bf3d-cb38-43a5-8314-0fadf85cc5a0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T15:14:55Z/" } ], "url": "https://huntr.com/bounties/0439bf3d-cb38-43a5-8314-0fadf85cc5a0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12217", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12217" }, { "reference_url": "https://github.com/advisories/GHSA-prpg-p95c-32fv", "reference_id": "GHSA-prpg-p95c-32fv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-prpg-p95c-32fv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42700?format=api", "purl": "pkg:pypi/gradio@5.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zgc3-regn-3ubp" }, { "vulnerability": "VCID-zgd4-q6ss-g3a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.2" } ], "aliases": [ "CVE-2024-12217", "GHSA-prpg-p95c-32fv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8n3u-687v-2feg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9229?format=api", "vulnerability_id": "VCID-a3xu-7cqy-gyhd", "summary": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **Server-Side Request Forgery (SSRF)** in the `/queue/join` endpoint. Gradio’s `async_save_url_to_cache` function allows attackers to force the Gradio server to send HTTP requests to user-controlled URLs. This could enable attackers to target internal servers or services within a local network and possibly exfiltrate data or cause unwanted internal requests. Additionally, the content from these URLs is stored locally, making it easier for attackers to upload potentially malicious files to the server. This impacts users deploying Gradio servers that use components like the Video component which involve URL fetching. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can disable or heavily restrict URL-based inputs in their Gradio applications to trusted domains only. Additionally, implementing stricter URL validation (such as allowinglist-based validation) and ensuring that local or internal network addresses cannot be requested via the `/queue/join` endpoint can help mitigate the risk of SSRF attacks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47167", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00236", "scoring_system": "epss", "scoring_elements": "0.46675", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47167" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-576c-3j53-r9jj", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:26:59Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-576c-3j53-r9jj" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-215.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-215.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47167", "reference_id": "CVE-2024-47167", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47167" }, { "reference_url": "https://github.com/advisories/GHSA-576c-3j53-r9jj", "reference_id": "GHSA-576c-3j53-r9jj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-576c-3j53-r9jj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42589?format=api", "purl": "pkg:pypi/gradio@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zgc3-regn-3ubp" }, { "vulnerability": "VCID-zgd4-q6ss-g3a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0" } ], "aliases": [ "CVE-2024-47167", "GHSA-576c-3j53-r9jj", "PYSEC-2024-215" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a3xu-7cqy-gyhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8992?format=api", "vulnerability_id": "VCID-aue3-ymt4-nqen", "summary": "Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-51449", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.81488", "scoring_system": "epss", "scoring_elements": "0.99201", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-51449" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T21:07:15Z/" } ], "url": "https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T21:07:15Z/" } ], "url": "https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T21:07:15Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-249.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-249.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51449", "reference_id": "CVE-2023-51449", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51449" }, { "reference_url": "https://github.com/advisories/GHSA-6qm2-wpxq-7qh2", "reference_id": "GHSA-6qm2-wpxq-7qh2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6qm2-wpxq-7qh2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/37267?format=api", "purl": "pkg:pypi/gradio@4.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-38nv-9rjy-2bfp" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8bv8-xgvg-6kf9" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-c7fg-xz7c-fyhg" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fcry-haph-rkgh" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghvm-1968-qubu" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-hhz7-44uh-yucs" }, { "vulnerability": "VCID-kmrx-ftzg-5qe7" }, { "vulnerability": "VCID-mrwe-sxue-pbcg" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-xffe-brwp-6yea" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.11.0" } ], "aliases": [ "CVE-2023-51449", "GHSA-6qm2-wpxq-7qh2", "PYSEC-2023-249" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-aue3-ymt4-nqen" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/340678?format=api", "vulnerability_id": "VCID-c7fg-xz7c-fyhg", "summary": "Gradio's Component Server does not properly consider` _is_server_fn` for functions", "references": [ { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2" }, { "reference_url": "https://www.gradio.app/changelog#4-13-0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.gradio.app/changelog#4-13-0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34511", "reference_id": "CVE-2024-34511", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34511" }, { "reference_url": "https://github.com/advisories/GHSA-34rf-p3r3-58x2", "reference_id": "GHSA-34rf-p3r3-58x2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-34rf-p3r3-58x2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/37269?format=api", "purl": "pkg:pypi/gradio@4.13.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-38nv-9rjy-2bfp" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8bv8-xgvg-6kf9" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fcry-haph-rkgh" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghvm-1968-qubu" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-hhz7-44uh-yucs" }, { "vulnerability": "VCID-kmrx-ftzg-5qe7" }, { "vulnerability": "VCID-mrwe-sxue-pbcg" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.13.0" } ], "aliases": [ "CVE-2024-34511", "GHSA-34rf-p3r3-58x2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c7fg-xz7c-fyhg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9231?format=api", "vulnerability_id": "VCID-cbe3-n9tq-6yas", "summary": "Gradio is an open-source Python package designed for quick prototyping. This is a **data validation vulnerability** affecting several Gradio components, which allows arbitrary file leaks through the post-processing step. Attackers can exploit these components by crafting requests that bypass expected input constraints. This issue could lead to sensitive files being exposed to unauthorized users, especially when combined with other vulnerabilities, such as issue TOB-GRADIO-15. The components most at risk are those that return or handle file data. Vulnerable Components: 1. **String to FileData:** DownloadButton, Audio, ImageEditor, Video, Model3D, File, UploadButton. 2. **Complex data to FileData:** Chatbot, MultimodalTextbox. 3. **Direct file read in preprocess:** Code. 4. **Dictionary converted to FileData:** ParamViewer, Dataset. Exploit Scenarios: 1. A developer creates a Dropdown list that passes values to a DownloadButton. An attacker bypasses the allowed inputs, sends an arbitrary file path (like `/etc/passwd`), and downloads sensitive files. 2. An attacker crafts a malicious payload in a ParamViewer component, leaking sensitive files from a server through the arbitrary file leak. This issue has been resolved in `gradio>5.0`. Upgrading to the latest version will mitigate this vulnerability. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47868", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00201", "scoring_system": "epss", "scoring_elements": "0.42089", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47868" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-4q3c-cj7g-jcwf", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:07:53Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-4q3c-cj7g-jcwf" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-217.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-217.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47868", "reference_id": "CVE-2024-47868", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47868" }, { "reference_url": "https://github.com/advisories/GHSA-4q3c-cj7g-jcwf", "reference_id": "GHSA-4q3c-cj7g-jcwf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4q3c-cj7g-jcwf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42589?format=api", "purl": "pkg:pypi/gradio@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zgc3-regn-3ubp" }, { "vulnerability": "VCID-zgd4-q6ss-g3a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0" } ], "aliases": [ "CVE-2024-47868", "GHSA-4q3c-cj7g-jcwf", "PYSEC-2024-217" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cbe3-n9tq-6yas" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9227?format=api", "vulnerability_id": "VCID-dugv-7fyw-dke5", "summary": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to the **bypass of directory traversal checks** within the `is_in_or_equal` function. This function, intended to check if a file resides within a given directory, can be bypassed with certain payloads that manipulate file paths using `..` (parent directory) sequences. Attackers could potentially access restricted files if they are able to exploit this flaw, although the difficulty is high. This primarily impacts users relying on Gradio’s blocklist or directory access validation, particularly when handling file uploads. Users are advised to upgrade to `gradio>=5.0` to address this issue. As a workaround, users can manually sanitize and normalize file paths in their Gradio deployment before passing them to the `is_in_or_equal` function. Ensuring that all file paths are properly resolved and absolute can help mitigate the bypass vulnerabilities caused by the improper handling of `..` sequences or malformed paths.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47164", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42206", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47164" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/08b51590163b306fd874f543f6fcaf23ac7d2646", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/commit/08b51590163b306fd874f543f6fcaf23ac7d2646" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-77xq-6g77-h274", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:24:39Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-77xq-6g77-h274" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-213.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-213.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47164", "reference_id": "CVE-2024-47164", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47164" }, { "reference_url": "https://github.com/advisories/GHSA-77xq-6g77-h274", "reference_id": "GHSA-77xq-6g77-h274", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-77xq-6g77-h274" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42589?format=api", "purl": "pkg:pypi/gradio@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zgc3-regn-3ubp" }, { "vulnerability": "VCID-zgd4-q6ss-g3a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0" } ], "aliases": [ "CVE-2024-47164", "GHSA-77xq-6g77-h274", "PYSEC-2024-213" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dugv-7fyw-dke5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/275896?format=api", "vulnerability_id": "VCID-ebmj-b24k-dkbb", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8021", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02447", "scoring_system": "epss", "scoring_elements": "0.85449", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8021" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://huntr.com/bounties/adc23067-ec04-47ef-9265-afd452071888", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:11:00Z/" } ], "url": "https://huntr.com/bounties/adc23067-ec04-47ef-9265-afd452071888" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8021", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8021" }, { "reference_url": "https://github.com/advisories/GHSA-7v2w-h4gh-w5cv", "reference_id": "GHSA-7v2w-h4gh-w5cv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7v2w-h4gh-w5cv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42573?format=api", "purl": "pkg:pypi/gradio@4.38.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-r5mb-vhku-5bbr" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.38.0" } ], "aliases": [ "CVE-2024-8021", "GHSA-7v2w-h4gh-w5cv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ebmj-b24k-dkbb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9236?format=api", "vulnerability_id": "VCID-ec3r-7thk-mbhr", "summary": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **race condition** in the `update_root_in_config` function, allowing an attacker to modify the `root` URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet, where malicious actors could exploit this race condition. Users are advised to upgrade to `gradio>=5` to address this issue. There are no known workarounds for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47870", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00192", "scoring_system": "epss", "scoring_elements": "0.4092", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47870" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-xh2x-3mrm-fwqm", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-11T15:16:16Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-xh2x-3mrm-fwqm" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-218.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-218.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47870", "reference_id": "CVE-2024-47870", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47870" }, { "reference_url": "https://github.com/advisories/GHSA-xh2x-3mrm-fwqm", "reference_id": "GHSA-xh2x-3mrm-fwqm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xh2x-3mrm-fwqm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42589?format=api", "purl": "pkg:pypi/gradio@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zgc3-regn-3ubp" }, { "vulnerability": "VCID-zgd4-q6ss-g3a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0" } ], "aliases": [ "CVE-2024-47870", "GHSA-xh2x-3mrm-fwqm", "PYSEC-2024-218" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ec3r-7thk-mbhr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19872?format=api", "vulnerability_id": "VCID-fcry-haph-rkgh", "summary": "Duplicate Advisory: Gradio Local File Inclusion vulnerability\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-m842-4qm8-7gpq. This link is maintained to preserve external references.\n\n## Original Description\ngradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the `/queue/join` endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server.", "references": [ { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7" }, { "reference_url": "https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1728", "reference_id": "CVE-2024-1728", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1728" }, { "reference_url": "https://github.com/advisories/GHSA-3f95-mxq2-2f63", "reference_id": "GHSA-3f95-mxq2-2f63", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3f95-mxq2-2f63" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39837?format=api", "purl": "pkg:pypi/gradio@4.19.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.19.2" } ], "aliases": [ "GHSA-3f95-mxq2-2f63" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fcry-haph-rkgh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9409?format=api", "vulnerability_id": "VCID-fjuj-9xc6-bkac", "summary": "Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space. This issue has been patched in version 5.31.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-48889", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01469", "scoring_system": "epss", "scoring_elements": "0.81229", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-48889" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-8jw3-6x8j-v96g", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-30T12:25:32Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-8jw3-6x8j-v96g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48889", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48889" }, { "reference_url": "https://github.com/advisories/GHSA-8jw3-6x8j-v96g", "reference_id": "GHSA-8jw3-6x8j-v96g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8jw3-6x8j-v96g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44185?format=api", "purl": "pkg:pypi/gradio@5.31.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-kt73-gz4z-6faf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.31.0" } ], "aliases": [ "CVE-2025-48889", "GHSA-8jw3-6x8j-v96g", "PYSEC-2025-119" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fjuj-9xc6-bkac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19518?format=api", "vulnerability_id": "VCID-ghvm-1968-qubu", "summary": "Gradio apps vulnerable to timing attacks to guess password\n### Impact\nThis security policy is with regards to a timing attack that allows users of Gradio apps to potentially guess the password of password-protected Gradio apps. This relies on the fact that string comparisons in Python terminate early, as soon as there is a string mismatch. Because Gradio apps are, by default, not rate-limited, a user could brute-force millions of guesses to figure out the correct username and password.\n\n### Patches\nYes, the problem has been patched in Gradio version 4.19.2 or higher. We have no knowledge of this exploit being used against users of Gradio applications, but we encourage all users to upgrade to Gradio 4.19.2 or higher.\n\nFixed in: https://github.com/gradio-app/gradio/commit/e329f1fd38935213fe0e73962e8cbd5d3af6e87b", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1729", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24073", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1729" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/e329f1fd38935213fe0e73962e8cbd5d3af6e87b", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-29T14:49:03Z/" } ], "url": "https://github.com/gradio-app/gradio/commit/e329f1fd38935213fe0e73962e8cbd5d3af6e87b" }, { "reference_url": "https://github.com/gradio-app/gradio/releases/tag/gradio%404.19.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/releases/tag/gradio%404.19.2" }, { "reference_url": "https://huntr.com/bounties/f6a10a8d-f538-4cb7-9bb2-85d9f5708124", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-29T14:49:03Z/" } ], "url": "https://huntr.com/bounties/f6a10a8d-f538-4cb7-9bb2-85d9f5708124" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1729", "reference_id": "CVE-2024-1729", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1729" }, { "reference_url": "https://github.com/advisories/GHSA-hmx6-r76c-85g9", "reference_id": "GHSA-hmx6-r76c-85g9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hmx6-r76c-85g9" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-hmx6-r76c-85g9", "reference_id": "GHSA-hmx6-r76c-85g9", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-hmx6-r76c-85g9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39837?format=api", "purl": "pkg:pypi/gradio@4.19.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.19.2" } ], "aliases": [ "CVE-2024-1729", "GHSA-hmx6-r76c-85g9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ghvm-1968-qubu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/267578?format=api", "vulnerability_id": "VCID-ghyh-u1nb-nygf", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4325", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.65093", "scoring_system": "epss", "scoring_elements": "0.98498", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4325" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/pull/8301", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/pull/8301" }, { "reference_url": "https://huntr.com/bounties/b34f084b-7d14-4f00-bc10-048a3a5aaf88", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-06T19:32:08Z/" } ], "url": "https://huntr.com/bounties/b34f084b-7d14-4f00-bc10-048a3a5aaf88" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4325", "reference_id": "CVE-2024-4325", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4325" }, { "reference_url": "https://github.com/advisories/GHSA-973g-55hp-3frw", "reference_id": "GHSA-973g-55hp-3frw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-973g-55hp-3frw" } ], "fixed_packages": [], "aliases": [ "CVE-2024-4325", "GHSA-973g-55hp-3frw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ghyh-u1nb-nygf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9556?format=api", "vulnerability_id": "VCID-gs22-farz-afdd", "summary": "Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28415.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28415.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28415", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02218", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28415" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/dfee0da06d0aa94b3c2684131e7898d5d5c1911e", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/commit/dfee0da06d0aa94b3c2684131e7898d5d5c1911e" }, { "reference_url": "https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:55:30Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443449", "reference_id": "2443449", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443449" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28415", "reference_id": "CVE-2026-28415", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28415" }, { "reference_url": "https://github.com/advisories/GHSA-pfjf-5gxr-995x", "reference_id": "GHSA-pfjf-5gxr-995x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pfjf-5gxr-995x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47202?format=api", "purl": "pkg:pypi/gradio@6.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@6.6.0" } ], "aliases": [ "CVE-2026-28415", "GHSA-pfjf-5gxr-995x", "PYSEC-2026-65" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gs22-farz-afdd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9234?format=api", "vulnerability_id": "VCID-gyvv-u98g-6keb", "summary": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio's `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47871", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00083", "scoring_system": "epss", "scoring_elements": "0.24227", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47871" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:19:13Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-219.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-219.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47871", "reference_id": "CVE-2024-47871", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47871" }, { "reference_url": "https://github.com/advisories/GHSA-279j-x4gx-hfrh", "reference_id": "GHSA-279j-x4gx-hfrh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-279j-x4gx-hfrh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42589?format=api", "purl": "pkg:pypi/gradio@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zgc3-regn-3ubp" }, { "vulnerability": "VCID-zgd4-q6ss-g3a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0" } ], "aliases": [ "CVE-2024-47871", "GHSA-279j-x4gx-hfrh", "PYSEC-2024-219" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gyvv-u98g-6keb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9295?format=api", "vulnerability_id": "VCID-hhx7-n4cb-qbcc", "summary": "Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path. This vulnerability arises due to the lack of case normalization in the file path validation logic. On case-insensitive file systems, such as those used by Windows and macOS, this flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected. This issue can lead to unauthorized data access, exposing sensitive information and undermining the integrity of Gradio's security model. Given Gradio's popularity for building web applications, particularly in machine learning and AI, this vulnerability may pose a substantial threat if exploited in production environments. This issue has been addressed in release version 5.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-23042", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00099", "scoring_system": "epss", "scoring_elements": "0.2731", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-23042" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/6b63fdec441b5c9bf910f910a2505d8defbb6bf8", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/commit/6b63fdec441b5c9bf910f910a2505d8defbb6bf8" }, { "reference_url": "https://github.com/gradio-app/gradio/releases/tag/gradio%405.11.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/releases/tag/gradio%405.11.0" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-j2jg-fq62-7c3h", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-15T14:18:00Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-j2jg-fq62-7c3h" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23042", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23042" }, { "reference_url": "https://github.com/advisories/GHSA-j2jg-fq62-7c3h", "reference_id": "GHSA-j2jg-fq62-7c3h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j2jg-fq62-7c3h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/43228?format=api", "purl": "pkg:pypi/gradio@5.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zgd4-q6ss-g3a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.6.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/47127?format=api", "purl": "pkg:pypi/gradio@5.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zgd4-q6ss-g3a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.11.0" } ], "aliases": [ "CVE-2025-23042", "GHSA-j2jg-fq62-7c3h", "PYSEC-2025-118" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hhx7-n4cb-qbcc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19772?format=api", "vulnerability_id": "VCID-hhz7-44uh-yucs", "summary": "Gradio's CI vulnerable to Command Injection\nPreviously, it was possible to exfiltrate secrets in Gradio's CI, but this is now fixed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1540", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67315", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1540" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:49:09Z/" } ], "url": "https://github.com/gradio-app/gradio/commit/d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28" }, { "reference_url": "https://huntr.com/bounties/0e39e974-9a66-476f-91f5-3f37abb03d77", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:49:09Z/" } ], "url": "https://huntr.com/bounties/0e39e974-9a66-476f-91f5-3f37abb03d77" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1540", "reference_id": "CVE-2024-1540", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1540" }, { "reference_url": "https://github.com/advisories/GHSA-xcgp-r7r8-2hc9", "reference_id": "GHSA-xcgp-r7r8-2hc9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xcgp-r7r8-2hc9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39834?format=api", "purl": "pkg:pypi/gradio@4.18.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-38nv-9rjy-2bfp" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fcry-haph-rkgh" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghvm-1968-qubu" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kmrx-ftzg-5qe7" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.18.0" } ], "aliases": [ "CVE-2024-1540", "GHSA-xcgp-r7r8-2hc9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hhz7-44uh-yucs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/245591?format=api", "vulnerability_id": "VCID-kmrx-ftzg-5qe7", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1728", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.85087", "scoring_system": "epss", "scoring_elements": "0.99367", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1728" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-15T18:41:26Z/" } ], "url": "https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7" }, { "reference_url": "https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-15T18:41:26Z/" } ], "url": "https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1728", "reference_id": "CVE-2024-1728", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1728" }, { "reference_url": "https://github.com/advisories/GHSA-m842-4qm8-7gpq", "reference_id": "GHSA-m842-4qm8-7gpq", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m842-4qm8-7gpq" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-m842-4qm8-7gpq", "reference_id": "GHSA-m842-4qm8-7gpq", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-m842-4qm8-7gpq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39837?format=api", "purl": "pkg:pypi/gradio@4.19.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.19.2" } ], "aliases": [ "CVE-2024-1728", "GHSA-m842-4qm8-7gpq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kmrx-ftzg-5qe7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8981?format=api", "vulnerability_id": "VCID-mrwe-sxue-pbcg", "summary": "Command Injection in GitHub repository gradio-app/gradio prior to main.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6572", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02454", "scoring_system": "epss", "scoring_elements": "0.85472", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6572" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/5b5af1899dd98d63e1f9b48a93601c2db1f56520", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-22T17:40:43Z/" } ], "url": "https://github.com/gradio-app/gradio/commit/5b5af1899dd98d63e1f9b48a93601c2db1f56520" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-255.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-255.yaml" }, { "reference_url": "https://huntr.com/bounties/21d2ff0c-d43a-4afd-bb4d-049ee8da5b5c", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-22T17:40:43Z/" } ], "url": "https://huntr.com/bounties/21d2ff0c-d43a-4afd-bb4d-049ee8da5b5c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6572", "reference_id": "CVE-2023-6572", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6572" }, { "reference_url": "https://github.com/advisories/GHSA-gqvf-3hgp-5hxv", "reference_id": "GHSA-gqvf-3hgp-5hxv", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqvf-3hgp-5hxv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/37270?format=api", "purl": "pkg:pypi/gradio@4.14.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-38nv-9rjy-2bfp" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8bv8-xgvg-6kf9" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fcry-haph-rkgh" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghvm-1968-qubu" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-hhz7-44uh-yucs" }, { "vulnerability": "VCID-kmrx-ftzg-5qe7" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.14.0" } ], "aliases": [ "CVE-2023-6572", "GHSA-gqvf-3hgp-5hxv", "PYSEC-2023-255" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mrwe-sxue-pbcg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8345?format=api", "vulnerability_id": "VCID-r4jn-wcux-qqd7", "summary": "`gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. The problem has been patched as of `2.8.11`, which escapes the saved csv with single quotes. As a workaround, avoid opening csv files generated by `gradio` with Excel or similar spreadsheet programs.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24770", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00591", "scoring_system": "epss", "scoring_elements": "0.69548", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24770" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/80fea89117358ee105973453fdc402398ae20239", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:02Z/" } ], "url": "https://github.com/gradio-app/gradio/commit/80fea89117358ee105973453fdc402398ae20239" }, { "reference_url": "https://github.com/gradio-app/gradio/pull/817", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:02Z/" } ], "url": "https://github.com/gradio-app/gradio/pull/817" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-f8xq-q7px-wg8c", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:02Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-f8xq-q7px-wg8c" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2022-229.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2022-229.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24770", "reference_id": "CVE-2022-24770", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24770" }, { "reference_url": "https://github.com/advisories/GHSA-f8xq-q7px-wg8c", "reference_id": "GHSA-f8xq-q7px-wg8c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f8xq-q7px-wg8c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/25859?format=api", "purl": "pkg:pypi/gradio@2.8.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-38nv-9rjy-2bfp" }, { "vulnerability": "VCID-4v1z-hd63-4fc6" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-83yw-mt71-tyeq" }, { "vulnerability": "VCID-8bv8-xgvg-6kf9" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-aue3-ymt4-nqen" }, { "vulnerability": "VCID-c7fg-xz7c-fyhg" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fcry-haph-rkgh" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghvm-1968-qubu" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-hhz7-44uh-yucs" }, { "vulnerability": "VCID-kmrx-ftzg-5qe7" }, { "vulnerability": "VCID-mrwe-sxue-pbcg" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-u38g-qy2t-67h2" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-xffe-brwp-6yea" }, { "vulnerability": "VCID-z72y-7um8-p3dj" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@2.8.11" } ], "aliases": [ "CVE-2022-24770", "GHSA-f8xq-q7px-wg8c", "PYSEC-2022-229" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r4jn-wcux-qqd7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9228?format=api", "vulnerability_id": "VCID-rdck-p2jh-cfbz", "summary": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes \"null\" as a valid origin. This allows attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin, potentially leading to data theft, such as user authentication tokens or uploaded files. This impacts users running Gradio locally, especially those using basic authentication. Users are advised to upgrade to `gradio>=5.0` to address this issue. As a workaround, users can manually modify the `localhost_aliases` list in their local Gradio deployment to exclude \"null\" as a valid origin. By removing this value, the Gradio server will no longer accept requests from sandboxed iframes or sources with a null origin, mitigating the potential for exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47165", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00168", "scoring_system": "epss", "scoring_elements": "0.37669", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47165" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-89v2-pqfv-c5r9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:25:38Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-89v2-pqfv-c5r9" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-214.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-214.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47165", "reference_id": "CVE-2024-47165", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47165" }, { "reference_url": "https://github.com/advisories/GHSA-89v2-pqfv-c5r9", "reference_id": "GHSA-89v2-pqfv-c5r9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-89v2-pqfv-c5r9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42589?format=api", "purl": "pkg:pypi/gradio@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zgc3-regn-3ubp" }, { "vulnerability": "VCID-zgd4-q6ss-g3a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0" } ], "aliases": [ "CVE-2024-47165", "GHSA-89v2-pqfv-c5r9", "PYSEC-2024-214" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rdck-p2jh-cfbz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9235?format=api", "vulnerability_id": "VCID-reuv-7se1-pubz", "summary": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **Cross-Site Scripting (XSS)** on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript, or SVG files containing malicious scripts. When other users download or view these files, the scripts will execute in their browser, allowing attackers to perform unauthorized actions or steal sensitive information from their sessions. This impacts any Gradio server that allows file uploads, particularly those using components that process or display user-uploaded files. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can restrict the types of files that can be uploaded to the Gradio server by limiting uploads to non-executable file types such as images or text. Additionally, developers can implement server-side validation to sanitize uploaded files, ensuring that HTML, JavaScript, and SVG files are properly handled or rejected before being stored or displayed to users.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47872", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0025", "scoring_system": "epss", "scoring_elements": "0.48446", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47872" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-gvv6-33j7-884g", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:19:51Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-gvv6-33j7-884g" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-220.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-220.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47872", "reference_id": "CVE-2024-47872", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47872" }, { "reference_url": "https://github.com/advisories/GHSA-gvv6-33j7-884g", "reference_id": "GHSA-gvv6-33j7-884g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gvv6-33j7-884g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42589?format=api", "purl": "pkg:pypi/gradio@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zgc3-regn-3ubp" }, { "vulnerability": "VCID-zgd4-q6ss-g3a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0" } ], "aliases": [ "CVE-2024-47872", "GHSA-gvv6-33j7-884g", "PYSEC-2024-220" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-reuv-7se1-pubz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/341164?format=api", "vulnerability_id": "VCID-rkr6-ssp6-afdt", "summary": "Gradio's dropdown component pre-process step does not limit the values to those in the dropdown list", "references": [ { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/advisories/GHSA-26jh-r8g2-6fpr", "reference_id": "GHSA-26jh-r8g2-6fpr", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-26jh-r8g2-6fpr" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-26jh-r8g2-6fpr", "reference_id": "GHSA-26jh-r8g2-6fpr", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-26jh-r8g2-6fpr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42589?format=api", "purl": "pkg:pypi/gradio@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zgc3-regn-3ubp" }, { "vulnerability": "VCID-zgd4-q6ss-g3a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0" } ], "aliases": [ "GHSA-26jh-r8g2-6fpr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rkr6-ssp6-afdt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9119?format=api", "vulnerability_id": "VCID-ry9e-qctr-7fbe", "summary": "Gradio before 4.20 allows credential leakage on Windows.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34510", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00092", "scoring_system": "epss", "scoring_elements": "0.25958", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34510" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-29T14:51:27Z/" } ], "url": "https://github.com/gradio-app/gradio/" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-255.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-255.yaml" }, { "reference_url": "https://www.gradio.app/changelog#4-20-0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-29T14:51:27Z/" } ], "url": "https://www.gradio.app/changelog#4-20-0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34510", "reference_id": "CVE-2024-34510", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34510" }, { "reference_url": "https://github.com/advisories/GHSA-rvfh-h6c7-fc3c", "reference_id": "GHSA-rvfh-h6c7-fc3c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rvfh-h6c7-fc3c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39838?format=api", "purl": "pkg:pypi/gradio@4.20.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.20.0" } ], "aliases": [ "CVE-2024-34510", "GHSA-rvfh-h6c7-fc3c", "PYSEC-2024-255" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ry9e-qctr-7fbe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19909?format=api", "vulnerability_id": "VCID-u38g-qy2t-67h2", "summary": "gradio Server-Side Request Forgery vulnerability\nAn SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1183", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.55048", "scoring_system": "epss", "scoring_elements": "0.98096", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1183" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/2ad3d9e7ec6c8eeea59774265b44f11df7394bb4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T18:25:36Z/" } ], "url": "https://github.com/gradio-app/gradio/commit/2ad3d9e7ec6c8eeea59774265b44f11df7394bb4" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055" }, { "reference_url": "https://huntr.com/bounties/103434f9-87d2-42ea-9907-194a3c25007c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T18:25:36Z/" } ], "url": "https://huntr.com/bounties/103434f9-87d2-42ea-9907-194a3c25007c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1183", "reference_id": "CVE-2024-1183", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1183" }, { "reference_url": "https://github.com/advisories/GHSA-qh6x-j82h-vpf9", "reference_id": "GHSA-qh6x-j82h-vpf9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qh6x-j82h-vpf9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/37266?format=api", "purl": "pkg:pypi/gradio@4.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-38nv-9rjy-2bfp" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8bv8-xgvg-6kf9" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-aue3-ymt4-nqen" }, { "vulnerability": "VCID-c7fg-xz7c-fyhg" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fcry-haph-rkgh" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghvm-1968-qubu" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-hhz7-44uh-yucs" }, { "vulnerability": "VCID-kmrx-ftzg-5qe7" }, { "vulnerability": "VCID-mrwe-sxue-pbcg" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-xffe-brwp-6yea" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.10.0" } ], "aliases": [ "CVE-2024-1183", "GHSA-qh6x-j82h-vpf9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u38g-qy2t-67h2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/268141?format=api", "vulnerability_id": "VCID-u4rh-huaj-7bf4", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4940", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.07236", "scoring_system": "epss", "scoring_elements": "0.91745", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4940" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://huntr.com/bounties/35aaea93-6895-4f03-9c1b-cd992665aa60", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-24T14:09:04Z/" } ], "url": "https://huntr.com/bounties/35aaea93-6895-4f03-9c1b-cd992665aa60" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4940", "reference_id": "CVE-2024-4940", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4940" }, { "reference_url": "https://github.com/advisories/GHSA-g6c9-f4xm-9j4x", "reference_id": "GHSA-g6c9-f4xm-9j4x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g6c9-f4xm-9j4x" } ], "fixed_packages": [], "aliases": [ "CVE-2024-4940", "GHSA-g6c9-f4xm-9j4x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u4rh-huaj-7bf4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9233?format=api", "vulnerability_id": "VCID-vad2-ydnk-nkgs", "summary": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature. Any users utilizing the Gradio server's sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn't been tampered with.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47867", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44787", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47867" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:06:22Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-216.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-216.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47867", "reference_id": "CVE-2024-47867", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47867" }, { "reference_url": "https://github.com/advisories/GHSA-8c87-gvhj-xm8m", "reference_id": "GHSA-8c87-gvhj-xm8m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8c87-gvhj-xm8m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42589?format=api", "purl": "pkg:pypi/gradio@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zgc3-regn-3ubp" }, { "vulnerability": "VCID-zgd4-q6ss-g3a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0" } ], "aliases": [ "CVE-2024-47867", "GHSA-8c87-gvhj-xm8m", "PYSEC-2024-216" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vad2-ydnk-nkgs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9225?format=api", "vulnerability_id": "VCID-w8ua-mp21-v3cv", "summary": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **one-level read path traversal** in the `/custom_component` endpoint. Attackers can exploit this flaw to access and leak source code from custom Gradio components by manipulating the file path in the request. Although the traversal is limited to a single directory level, it could expose proprietary or sensitive code that developers intended to keep private. This impacts users who have developed custom Gradio components and are hosting them on publicly accessible servers. Users are advised to upgrade to `gradio>=4.44` to address this issue. As a workaround, developers can sanitize the file paths and ensure that components are not stored in publicly accessible directories.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47166", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.47937", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47166" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-37qc-qgx6-9xjv", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:26:33Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-37qc-qgx6-9xjv" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-197.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-197.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47166", "reference_id": "CVE-2024-47166", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47166" }, { "reference_url": "https://github.com/advisories/GHSA-37qc-qgx6-9xjv", "reference_id": "GHSA-37qc-qgx6-9xjv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-37qc-qgx6-9xjv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42580?format=api", "purl": "pkg:pypi/gradio@4.44.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-r5mb-vhku-5bbr" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.44.0" } ], "aliases": [ "CVE-2024-47166", "GHSA-37qc-qgx6-9xjv", "PYSEC-2024-197" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w8ua-mp21-v3cv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/276775?format=api", "vulnerability_id": "VCID-x7p6-gazz-z7gz", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8966", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0029", "scoring_system": "epss", "scoring_elements": "0.52642", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8966" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/f1718c47137f9c60240da7afe5e3290aa0f1cb47", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/commit/f1718c47137f9c60240da7afe5e3290aa0f1cb47" }, { "reference_url": "https://huntr.com/bounties/7b5932bb-58d1-4e71-b85c-43dc40522ff2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T15:50:36Z/" } ], "url": "https://huntr.com/bounties/7b5932bb-58d1-4e71-b85c-43dc40522ff2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8966", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8966" }, { "reference_url": "https://github.com/advisories/GHSA-5cpq-9538-jm2j", "reference_id": "GHSA-5cpq-9538-jm2j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5cpq-9538-jm2j" } ], "fixed_packages": [], "aliases": [ "CVE-2024-8966", "GHSA-5cpq-9538-jm2j" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x7p6-gazz-z7gz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19908?format=api", "vulnerability_id": "VCID-xffe-brwp-6yea", "summary": "gradio vulnerable to Path Traversal\nAn issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1561", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.93426", "scoring_system": "epss", "scoring_elements": "0.99824", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1561" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:06:47Z/" } ], "url": "https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2" }, { "reference_url": "https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:06:47Z/" } ], "url": "https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338" }, { "reference_url": "https://www.gradio.app/changelog#4-13-0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:06:47Z/" } ], "url": "https://www.gradio.app/changelog#4-13-0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1561", "reference_id": "CVE-2024-1561", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1561" }, { "reference_url": "https://github.com/advisories/GHSA-g9cj-cfpp-4g2x", "reference_id": "GHSA-g9cj-cfpp-4g2x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g9cj-cfpp-4g2x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/37269?format=api", "purl": "pkg:pypi/gradio@4.13.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-38nv-9rjy-2bfp" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8bv8-xgvg-6kf9" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fcry-haph-rkgh" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghvm-1968-qubu" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-hhz7-44uh-yucs" }, { "vulnerability": "VCID-kmrx-ftzg-5qe7" }, { "vulnerability": "VCID-mrwe-sxue-pbcg" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.13.0" } ], "aliases": [ "CVE-2024-1561", "GHSA-g9cj-cfpp-4g2x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xffe-brwp-6yea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8212?format=api", "vulnerability_id": "VCID-yx69-h7t2-tbe7", "summary": "Gradio is an open source framework for building interactive machine learning models and demos. In versions prior to 2.5.0 there is a vulnerability that affects anyone who creates and publicly shares Gradio interfaces. File paths are not restricted and users who receive a Gradio link can access any files on the host computer if they know the file names or file paths. This is limited only by the host operating system. Paths are opened in read only mode. The problem has been patched in gradio 2.5.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43831", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.30342", "scoring_system": "epss", "scoring_elements": "0.96776", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43831" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/41bd3645bdb616e1248b2167ca83636a2653f781", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/commit/41bd3645bdb616e1248b2167ca83636a2653f781" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-rhq2-3vr9-6mcr", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-rhq2-3vr9-6mcr" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2021-873.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2021-873.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43831", "reference_id": "CVE-2021-43831", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43831" }, { "reference_url": "https://github.com/advisories/GHSA-rhq2-3vr9-6mcr", "reference_id": "GHSA-rhq2-3vr9-6mcr", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rhq2-3vr9-6mcr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/24604?format=api", "purl": "pkg:pypi/gradio@2.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-38nv-9rjy-2bfp" }, { "vulnerability": "VCID-4v1z-hd63-4fc6" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-83yw-mt71-tyeq" }, { "vulnerability": "VCID-8bv8-xgvg-6kf9" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-aue3-ymt4-nqen" }, { "vulnerability": "VCID-c7fg-xz7c-fyhg" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fcry-haph-rkgh" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghvm-1968-qubu" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-hhz7-44uh-yucs" }, { "vulnerability": "VCID-kmrx-ftzg-5qe7" }, { "vulnerability": "VCID-mrwe-sxue-pbcg" }, { "vulnerability": "VCID-r4jn-wcux-qqd7" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-u38g-qy2t-67h2" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-xffe-brwp-6yea" }, { "vulnerability": "VCID-z72y-7um8-p3dj" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@2.5.0" } ], "aliases": [ "CVE-2021-43831", "GHSA-rhq2-3vr9-6mcr", "PYSEC-2021-873" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yx69-h7t2-tbe7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9054?format=api", "vulnerability_id": "VCID-z72y-7um8-p3dj", "summary": "A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0964", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00147", "scoring_system": "epss", "scoring_elements": "0.34868", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0964" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/commit/d76bcaaaf0734aaf49a680f94ea9d4d22a602e70", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-06T18:33:00Z/" } ], "url": "https://github.com/gradio-app/gradio/commit/d76bcaaaf0734aaf49a680f94ea9d4d22a602e70" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-261.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-261.yaml" }, { "reference_url": "https://huntr.com/bounties/25e25501-5918-429c-8541-88832dfd3741", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-06T18:33:00Z/" } ], "url": "https://huntr.com/bounties/25e25501-5918-429c-8541-88832dfd3741" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0964", "reference_id": "CVE-2024-0964", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0964" }, { "reference_url": "https://github.com/advisories/GHSA-f3h9-8phc-6gvh", "reference_id": "GHSA-f3h9-8phc-6gvh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f3h9-8phc-6gvh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/37264?format=api", "purl": "pkg:pypi/gradio@4.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-135r-znhp-5yge" }, { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-2968-zwkj-tka2" }, { "vulnerability": "VCID-38nv-9rjy-2bfp" }, { "vulnerability": "VCID-77wy-te8b-9qgc" }, { "vulnerability": "VCID-7my4-fvg8-kqhw" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8bv8-xgvg-6kf9" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-aue3-ymt4-nqen" }, { "vulnerability": "VCID-c7fg-xz7c-fyhg" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ebmj-b24k-dkbb" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fcry-haph-rkgh" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-ghvm-1968-qubu" }, { "vulnerability": "VCID-ghyh-u1nb-nygf" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-hhz7-44uh-yucs" }, { "vulnerability": "VCID-kmrx-ftzg-5qe7" }, { "vulnerability": "VCID-mrwe-sxue-pbcg" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-ry9e-qctr-7fbe" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-u38g-qy2t-67h2" }, { "vulnerability": "VCID-u4rh-huaj-7bf4" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-w8ua-mp21-v3cv" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" }, { "vulnerability": "VCID-xffe-brwp-6yea" }, { "vulnerability": "VCID-zycs-zpma-xqey" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.9.0" } ], "aliases": [ "CVE-2024-0964", "GHSA-f3h9-8phc-6gvh", "PYSEC-2024-261" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z72y-7um8-p3dj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9230?format=api", "vulnerability_id": "VCID-zycs-zpma-xqey", "summary": "Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves data exposure due to the enable_monitoring flag not properly disabling monitoring when set to False. Even when monitoring is supposedly disabled, an attacker or unauthorized user can still access the monitoring dashboard by directly requesting the /monitoring endpoint. This means that sensitive application analytics may still be exposed, particularly in environments where monitoring is expected to be disabled. Users who set enable_monitoring=False to prevent unauthorized access to monitoring data are impacted. Users are advised to upgrade to gradio>=4.44 to address this issue. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47168", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36447", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47168" }, { "reference_url": "https://github.com/gradio-app/gradio", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/gradio-app/gradio" }, { "reference_url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-hm3c-93pg-4cxw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:28:11Z/" } ], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-hm3c-93pg-4cxw" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-198.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-198.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47168", "reference_id": "CVE-2024-47168", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47168" }, { "reference_url": "https://github.com/advisories/GHSA-hm3c-93pg-4cxw", "reference_id": "GHSA-hm3c-93pg-4cxw", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hm3c-93pg-4cxw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42580?format=api", "purl": "pkg:pypi/gradio@4.44.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17vf-h543-33ch" }, { "vulnerability": "VCID-7qyj-s1nm-ekay" }, { "vulnerability": "VCID-8n3u-687v-2feg" }, { "vulnerability": "VCID-a3xu-7cqy-gyhd" }, { "vulnerability": "VCID-cbe3-n9tq-6yas" }, { "vulnerability": "VCID-cdyx-gjxu-zbgk" }, { "vulnerability": "VCID-dugv-7fyw-dke5" }, { "vulnerability": "VCID-ec3r-7thk-mbhr" }, { "vulnerability": "VCID-fjuj-9xc6-bkac" }, { "vulnerability": "VCID-gs22-farz-afdd" }, { "vulnerability": "VCID-gyvv-u98g-6keb" }, { "vulnerability": "VCID-hhx7-n4cb-qbcc" }, { "vulnerability": "VCID-kt73-gz4z-6faf" }, { "vulnerability": "VCID-r5mb-vhku-5bbr" }, { "vulnerability": "VCID-rdck-p2jh-cfbz" }, { "vulnerability": "VCID-reuv-7se1-pubz" }, { "vulnerability": "VCID-rkr6-ssp6-afdt" }, { "vulnerability": "VCID-tcqh-cmqg-bqfq" }, { "vulnerability": "VCID-vad2-ydnk-nkgs" }, { "vulnerability": "VCID-x7p6-gazz-z7gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.44.0" } ], "aliases": [ "CVE-2024-47168", "GHSA-hm3c-93pg-4cxw", "PYSEC-2024-198" ], "risk_score": 1.9, "exploitability": "0.5", "weighted_severity": "3.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zycs-zpma-xqey" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@0.9.9.2" }