{"url":"http://public2.vulnerablecode.io/api/packages/24488?format=json","purl":"pkg:pypi/gradio@0.9.9.7","type":"pypi","namespace":"","name":"gradio","version":"0.9.9.7","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.7.0","latest_non_vulnerable_version":"6.7.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9232?format=json","vulnerability_id":"VCID-135r-znhp-5yge","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **timing attack** in the way Gradio compares hashes for the `analytics_dashboard` function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte. This can lead to unauthorized access to the analytics dashboard, especially if the attacker can repeatedly query the system with different keys. Users are advised to upgrade to `gradio>4.44` to mitigate this issue. To mitigate the risk before applying the patch, developers can manually patch the `analytics_dashboard` dashboard to use a **constant-time comparison** function for comparing sensitive values, such as hashes. Alternatively, access to the analytics dashboard can be disabled.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47869","reference_id":"","reference_type":"","scores":[{"value":"0.00158","scoring_system":"epss","scoring_elements":"0.36447","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47869"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-j757-pf57-f8r4","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:08:36Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-j757-pf57-f8r4"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-199.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-199.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47869","reference_id":"CVE-2024-47869","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47869"},{"reference_url":"https://github.com/advisories/GHSA-j757-pf57-f8r4","reference_id":"GHSA-j757-pf57-f8r4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j757-pf57-f8r4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42580?format=json","purl":"pkg:pypi/gradio@4.44.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-r5mb-vhku-5bbr"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-x7p6-gazz-z7gz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.44.0"}],"aliases":["CVE-2024-47869","GHSA-j757-pf57-f8r4","PYSEC-2024-199"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-135r-znhp-5yge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9555?format=json","vulnerability_id":"VCID-17vf-h543-33ch","summary":"Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28414","reference_id":"","reference_type":"","scores":[{"value":"0.04212","scoring_system":"epss","scoring_elements":"0.88928","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28414"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/6011b00d0154b85532fa901dd73cf8fa7d86fd04","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/6011b00d0154b85532fa901dd73cf8fa7d86fd04"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T22:02:06Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28414","reference_id":"CVE-2026-28414","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28414"},{"reference_url":"https://github.com/advisories/GHSA-39mp-8hj3-5c49","reference_id":"GHSA-39mp-8hj3-5c49","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-39mp-8hj3-5c49"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47203?format=json","purl":"pkg:pypi/gradio@6.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@6.7.0"}],"aliases":["CVE-2026-28414","GHSA-39mp-8hj3-5c49","PYSEC-2026-64"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-17vf-h543-33ch"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/266102?format=json","vulnerability_id":"VCID-2968-zwkj-tka2","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48052","reference_id":"","reference_type":"","scores":[{"value":"0.00125","scoring_system":"epss","scoring_elements":"0.3141","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48052"},{"reference_url":"https://gist.github.com/AfterSnows/45ffc23797f9127e00755376cc610e12","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:19:51Z/"}],"url":"https://gist.github.com/AfterSnows/45ffc23797f9127e00755376cc610e12"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48052","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48052"},{"reference_url":"https://rumbling-slice-eb0.notion.site/FULL-SSRF-in-gr-DownloadButton-in-gradio-app-gradio-870b21e0908b48cbafd914719ac1a4e6?pvs=4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:19:51Z/"}],"url":"https://rumbling-slice-eb0.notion.site/FULL-SSRF-in-gr-DownloadButton-in-gradio-app-gradio-870b21e0908b48cbafd914719ac1a4e6?pvs=4"},{"reference_url":"https://github.com/advisories/GHSA-3gf9-wv65-gwh9","reference_id":"GHSA-3gf9-wv65-gwh9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3gf9-wv65-gwh9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42579?format=json","purl":"pkg:pypi/gradio@4.43.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-r5mb-vhku-5bbr"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.43.0"}],"aliases":["CVE-2024-48052","GHSA-3gf9-wv65-gwh9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2968-zwkj-tka2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19710?format=json","vulnerability_id":"VCID-38nv-9rjy-2bfp","summary":"Cross-Site Request Forgery in Gradio\nA Cross-Site Request Forgery gives attackers the ability to upload many large files to a victim, if they are running Gradio locally. To resolve this a PR tightening the CORS rules around Gradio applications has been submitted. In particular, it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of its aliases) as well.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1727","reference_id":"","reference_type":"","scores":[{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35382","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1727"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-25T16:25:33Z/"}],"url":"https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a"},{"reference_url":"https://github.com/gradio-app/gradio/pull/7503","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/pull/7503"},{"reference_url":"https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-25T16:25:33Z/"}],"url":"https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1727","reference_id":"CVE-2024-1727","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1727"},{"reference_url":"https://github.com/advisories/GHSA-3x9g-xfj5-fq84","reference_id":"GHSA-3x9g-xfj5-fq84","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3x9g-xfj5-fq84"},{"reference_url":"https://github.com/advisories/GHSA-48cq-79qq-6f7x","reference_id":"GHSA-48cq-79qq-6f7x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-48cq-79qq-6f7x"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-48cq-79qq-6f7x","reference_id":"GHSA-48cq-79qq-6f7x","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-48cq-79qq-6f7x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39837?format=json","purl":"pkg:pypi/gradio@4.19.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.19.2"}],"aliases":["CVE-2024-1727","GHSA-3x9g-xfj5-fq84","GHSA-48cq-79qq-6f7x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-38nv-9rjy-2bfp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8724?format=json","vulnerability_id":"VCID-4v1z-hd63-4fc6","summary":"Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25823","reference_id":"","reference_type":"","scores":[{"value":"0.00408","scoring_system":"epss","scoring_elements":"0.61474","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25823"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-3x5j-9vwr-8rr5","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:56:59Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-3x5j-9vwr-8rr5"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-16.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-16.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25823","reference_id":"CVE-2023-25823","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25823"},{"reference_url":"https://github.com/advisories/GHSA-3x5j-9vwr-8rr5","reference_id":"GHSA-3x5j-9vwr-8rr5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3x5j-9vwr-8rr5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30860?format=json","purl":"pkg:pypi/gradio@3.13.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-38nv-9rjy-2bfp"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-83yw-mt71-tyeq"},{"vulnerability":"VCID-8bv8-xgvg-6kf9"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-aue3-ymt4-nqen"},{"vulnerability":"VCID-c7fg-xz7c-fyhg"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fcry-haph-rkgh"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghvm-1968-qubu"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-hhz7-44uh-yucs"},{"vulnerability":"VCID-kmrx-ftzg-5qe7"},{"vulnerability":"VCID-mrwe-sxue-pbcg"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-u38g-qy2t-67h2"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-xffe-brwp-6yea"},{"vulnerability":"VCID-z72y-7um8-p3dj"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@3.13.1"}],"aliases":["CVE-2023-25823","GHSA-3x5j-9vwr-8rr5","PYSEC-2023-16"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4v1z-hd63-4fc6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9226?format=json","vulnerability_id":"VCID-77wy-te8b-9qgc","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to **CORS origin validation**, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio server. Potentially, attackers can upload files, steal authentication tokens, and access user data if the victim visits a malicious website while logged into Gradio. This impacts users who have deployed Gradio locally and use basic authentication. Users are advised to upgrade to `gradio>4.44` to address this issue. As a workaround, users can manually enforce stricter CORS origin validation by modifying the `CustomCORSMiddleware` class in their local Gradio server code. Specifically, they can bypass the condition that skips CORS validation for requests containing cookies to prevent potential exploitation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47084","reference_id":"","reference_type":"","scores":[{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.3351","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47084"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-3c67-5hwx-f6wx","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:23:34Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-3c67-5hwx-f6wx"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-196.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-196.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47084","reference_id":"CVE-2024-47084","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47084"},{"reference_url":"https://github.com/advisories/GHSA-3c67-5hwx-f6wx","reference_id":"GHSA-3c67-5hwx-f6wx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3c67-5hwx-f6wx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42580?format=json","purl":"pkg:pypi/gradio@4.44.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-r5mb-vhku-5bbr"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-x7p6-gazz-z7gz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.44.0"}],"aliases":["CVE-2024-47084","GHSA-3c67-5hwx-f6wx","PYSEC-2024-196"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-77wy-te8b-9qgc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9135?format=json","vulnerability_id":"VCID-7my4-fvg8-kqhw","summary":"A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gradio/components/json_component.py`, where a user-controlled string is parsed as JSON. If the parsed JSON object contains a `path` key, the specified file is moved to a temporary directory, making it possible to retrieve it later via the `/file=..` endpoint. This issue is due to the `processing_utils.move_files_to_cache()` function traversing any object passed to it, looking for a dictionary with a `path` key, and then copying the specified file to a temporary directory. The vulnerability can be exploited by an attacker to read files on the remote system, posing a significant security risk.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4941","reference_id":"","reference_type":"","scores":[{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.72035","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4941"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/ee1e2942e0a1ae84a08a05464e41c8108a03fa9c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T18:13:53Z/"}],"url":"https://github.com/gradio-app/gradio/commit/ee1e2942e0a1ae84a08a05464e41c8108a03fa9c"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-184.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-184.yaml"},{"reference_url":"https://huntr.com/bounties/39889ce1-298d-4568-aecd-7ae40c2ca58e","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T18:13:53Z/"}],"url":"https://huntr.com/bounties/39889ce1-298d-4568-aecd-7ae40c2ca58e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4941","reference_id":"CVE-2024-4941","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4941"},{"reference_url":"https://github.com/advisories/GHSA-6v6g-j5fq-hpvw","reference_id":"GHSA-6v6g-j5fq-hpvw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6v6g-j5fq-hpvw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40106?format=json","purl":"pkg:pypi/gradio@4.31.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.31.3"},{"url":"http://public2.vulnerablecode.io/api/packages/40107?format=json","purl":"pkg:pypi/gradio@4.31.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.31.4"}],"aliases":["CVE-2024-4941","GHSA-6v6g-j5fq-hpvw","PYSEC-2024-184"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7my4-fvg8-kqhw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9557?format=json","vulnerability_id":"VCID-7qyj-s1nm-ekay","summary":"Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28416.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28416.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28416","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04944","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28416"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/fc7c01ea1e581ef70be98fddf003b0c91315c7cc","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/fc7c01ea1e581ef70be98fddf003b0c91315c7cc"},{"reference_url":"https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:59:31Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443453","reference_id":"2443453","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443453"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28416","reference_id":"CVE-2026-28416","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28416"},{"reference_url":"https://github.com/advisories/GHSA-jmh7-g254-2cq9","reference_id":"GHSA-jmh7-g254-2cq9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jmh7-g254-2cq9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47202?format=json","purl":"pkg:pypi/gradio@6.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@6.6.0"}],"aliases":["CVE-2026-28416","GHSA-jmh7-g254-2cq9","PYSEC-2026-66"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7qyj-s1nm-ekay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8795?format=json","vulnerability_id":"VCID-83yw-mt71-tyeq","summary":"Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34239","reference_id":"","reference_type":"","scores":[{"value":"0.0028","scoring_system":"epss","scoring_elements":"0.51571","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34239"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a"},{"reference_url":"https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a#diff-324a7165f5d5a8823a28b76f5653fa45f32c8144c82b2e528882c97c7eae534f","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a#diff-324a7165f5d5a8823a28b76f5653fa45f32c8144c82b2e528882c97c7eae534f"},{"reference_url":"https://github.com/gradio-app/gradio/commit/cd64130d54e678525774bbb200ef9c7166fa1543","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/cd64130d54e678525774bbb200ef9c7166fa1543"},{"reference_url":"https://github.com/gradio-app/gradio/pull/4370","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T20:33:03Z/"}],"url":"https://github.com/gradio-app/gradio/pull/4370"},{"reference_url":"https://github.com/gradio-app/gradio/pull/4406","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T20:33:03Z/"}],"url":"https://github.com/gradio-app/gradio/pull/4406"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T20:33:03Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-90.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-90.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34239","reference_id":"CVE-2023-34239","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34239"},{"reference_url":"https://github.com/advisories/GHSA-3qqg-pgqq-3695","reference_id":"GHSA-3qqg-pgqq-3695","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3qqg-pgqq-3695"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32888?format=json","purl":"pkg:pypi/gradio@3.34.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-38nv-9rjy-2bfp"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8bv8-xgvg-6kf9"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-aue3-ymt4-nqen"},{"vulnerability":"VCID-c7fg-xz7c-fyhg"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fcry-haph-rkgh"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghvm-1968-qubu"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-hhz7-44uh-yucs"},{"vulnerability":"VCID-kmrx-ftzg-5qe7"},{"vulnerability":"VCID-mrwe-sxue-pbcg"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-u38g-qy2t-67h2"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-xffe-brwp-6yea"},{"vulnerability":"VCID-z72y-7um8-p3dj"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@3.34.0"}],"aliases":["CVE-2023-34239","GHSA-3qqg-pgqq-3695","PYSEC-2023-90"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-83yw-mt71-tyeq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19768?format=json","vulnerability_id":"VCID-8bv8-xgvg-6kf9","summary":"gradio Server-Side Request Forgery vulnerability\nThe /proxy route allows a user to proxy arbitrary urls including potential internal endpoints.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-2206","reference_id":"","reference_type":"","scores":[{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.32247","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-2206"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/49d9c48537aa706bf72628e3640389470138bdc6","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-20T18:26:27Z/"}],"url":"https://github.com/gradio-app/gradio/commit/49d9c48537aa706bf72628e3640389470138bdc6"},{"reference_url":"https://huntr.com/bounties/2286c1ed-b889-45d6-adda-7014ea06d98e","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-20T18:26:27Z/"}],"url":"https://huntr.com/bounties/2286c1ed-b889-45d6-adda-7014ea06d98e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2206","reference_id":"CVE-2024-2206","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2206"},{"reference_url":"https://github.com/advisories/GHSA-r364-m2j9-mf4h","reference_id":"GHSA-r364-m2j9-mf4h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r364-m2j9-mf4h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39834?format=json","purl":"pkg:pypi/gradio@4.18.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-38nv-9rjy-2bfp"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fcry-haph-rkgh"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghvm-1968-qubu"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kmrx-ftzg-5qe7"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.18.0"}],"aliases":["CVE-2024-2206","GHSA-r364-m2j9-mf4h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8bv8-xgvg-6kf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/243251?format=json","vulnerability_id":"VCID-8n3u-687v-2feg","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-12217","reference_id":"","reference_type":"","scores":[{"value":"0.00324","scoring_system":"epss","scoring_elements":"0.55675","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-12217"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/blob/67e4044c9ca8358eceeb1fa72fa415df03397d20/gradio/utils.py#L1061-L1074","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/blob/67e4044c9ca8358eceeb1fa72fa415df03397d20/gradio/utils.py#L1061-L1074"},{"reference_url":"https://huntr.com/bounties/0439bf3d-cb38-43a5-8314-0fadf85cc5a0","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T15:14:55Z/"}],"url":"https://huntr.com/bounties/0439bf3d-cb38-43a5-8314-0fadf85cc5a0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12217","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12217"},{"reference_url":"https://github.com/advisories/GHSA-prpg-p95c-32fv","reference_id":"GHSA-prpg-p95c-32fv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-prpg-p95c-32fv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42700?format=json","purl":"pkg:pypi/gradio@5.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zgc3-regn-3ubp"},{"vulnerability":"VCID-zgd4-q6ss-g3a6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.2"}],"aliases":["CVE-2024-12217","GHSA-prpg-p95c-32fv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8n3u-687v-2feg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9229?format=json","vulnerability_id":"VCID-a3xu-7cqy-gyhd","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **Server-Side Request Forgery (SSRF)** in the `/queue/join` endpoint. Gradio’s `async_save_url_to_cache` function allows attackers to force the Gradio server to send HTTP requests to user-controlled URLs. This could enable attackers to target internal servers or services within a local network and possibly exfiltrate data or cause unwanted internal requests. Additionally, the content from these URLs is stored locally, making it easier for attackers to upload potentially malicious files to the server. This impacts users deploying Gradio servers that use components like the Video component which involve URL fetching. Users are advised to upgrade to `gradio>=5` to address this issue.  As a workaround, users can disable or heavily restrict URL-based inputs in their Gradio applications to trusted domains only. Additionally, implementing stricter URL validation (such as allowinglist-based validation) and ensuring that local or internal network addresses cannot be requested via the `/queue/join` endpoint can help mitigate the risk of SSRF attacks.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47167","reference_id":"","reference_type":"","scores":[{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46675","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47167"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-576c-3j53-r9jj","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:26:59Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-576c-3j53-r9jj"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-215.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-215.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47167","reference_id":"CVE-2024-47167","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47167"},{"reference_url":"https://github.com/advisories/GHSA-576c-3j53-r9jj","reference_id":"GHSA-576c-3j53-r9jj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-576c-3j53-r9jj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42589?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zgc3-regn-3ubp"},{"vulnerability":"VCID-zgd4-q6ss-g3a6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47167","GHSA-576c-3j53-r9jj","PYSEC-2024-215"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a3xu-7cqy-gyhd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8992?format=json","vulnerability_id":"VCID-aue3-ymt4-nqen","summary":"Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-51449","reference_id":"","reference_type":"","scores":[{"value":"0.81488","scoring_system":"epss","scoring_elements":"0.99201","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-51449"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T21:07:15Z/"}],"url":"https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76"},{"reference_url":"https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T21:07:15Z/"}],"url":"https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T21:07:15Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-249.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-249.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-51449","reference_id":"CVE-2023-51449","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-51449"},{"reference_url":"https://github.com/advisories/GHSA-6qm2-wpxq-7qh2","reference_id":"GHSA-6qm2-wpxq-7qh2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6qm2-wpxq-7qh2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37267?format=json","purl":"pkg:pypi/gradio@4.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-38nv-9rjy-2bfp"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8bv8-xgvg-6kf9"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-c7fg-xz7c-fyhg"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fcry-haph-rkgh"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghvm-1968-qubu"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-hhz7-44uh-yucs"},{"vulnerability":"VCID-kmrx-ftzg-5qe7"},{"vulnerability":"VCID-mrwe-sxue-pbcg"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-xffe-brwp-6yea"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.11.0"}],"aliases":["CVE-2023-51449","GHSA-6qm2-wpxq-7qh2","PYSEC-2023-249"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aue3-ymt4-nqen"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/340678?format=json","vulnerability_id":"VCID-c7fg-xz7c-fyhg","summary":"Gradio's Component Server does not properly consider` _is_server_fn` for functions","references":[{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2"},{"reference_url":"https://www.gradio.app/changelog#4-13-0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.gradio.app/changelog#4-13-0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34511","reference_id":"CVE-2024-34511","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34511"},{"reference_url":"https://github.com/advisories/GHSA-34rf-p3r3-58x2","reference_id":"GHSA-34rf-p3r3-58x2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-34rf-p3r3-58x2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37269?format=json","purl":"pkg:pypi/gradio@4.13.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-38nv-9rjy-2bfp"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8bv8-xgvg-6kf9"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fcry-haph-rkgh"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghvm-1968-qubu"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-hhz7-44uh-yucs"},{"vulnerability":"VCID-kmrx-ftzg-5qe7"},{"vulnerability":"VCID-mrwe-sxue-pbcg"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.13.0"}],"aliases":["CVE-2024-34511","GHSA-34rf-p3r3-58x2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c7fg-xz7c-fyhg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9231?format=json","vulnerability_id":"VCID-cbe3-n9tq-6yas","summary":"Gradio is an open-source Python package designed for quick prototyping. This is a **data validation vulnerability** affecting several Gradio components, which allows arbitrary file leaks through the post-processing step. Attackers can exploit these components by crafting requests that bypass expected input constraints. This issue could lead to sensitive files being exposed to unauthorized users, especially when combined with other vulnerabilities, such as issue TOB-GRADIO-15. The components most at risk are those that return or handle file data. Vulnerable Components: 1. **String to FileData:** DownloadButton, Audio, ImageEditor, Video, Model3D, File, UploadButton. 2. **Complex data to FileData:** Chatbot, MultimodalTextbox. 3. **Direct file read in preprocess:** Code. 4. **Dictionary converted to FileData:** ParamViewer, Dataset. Exploit Scenarios: 1. A developer creates a Dropdown list that passes values to a DownloadButton. An attacker bypasses the allowed inputs, sends an arbitrary file path (like `/etc/passwd`), and downloads sensitive files. 2. An attacker crafts a malicious payload in a ParamViewer component, leaking sensitive files from a server through the arbitrary file leak. This issue has been resolved in `gradio>5.0`. Upgrading to the latest version will mitigate this vulnerability. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47868","reference_id":"","reference_type":"","scores":[{"value":"0.00201","scoring_system":"epss","scoring_elements":"0.42089","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47868"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-4q3c-cj7g-jcwf","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:07:53Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-4q3c-cj7g-jcwf"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-217.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-217.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47868","reference_id":"CVE-2024-47868","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47868"},{"reference_url":"https://github.com/advisories/GHSA-4q3c-cj7g-jcwf","reference_id":"GHSA-4q3c-cj7g-jcwf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4q3c-cj7g-jcwf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42589?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zgc3-regn-3ubp"},{"vulnerability":"VCID-zgd4-q6ss-g3a6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47868","GHSA-4q3c-cj7g-jcwf","PYSEC-2024-217"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cbe3-n9tq-6yas"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9227?format=json","vulnerability_id":"VCID-dugv-7fyw-dke5","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to the **bypass of directory traversal checks** within the `is_in_or_equal` function. This function, intended to check if a file resides within a given directory, can be bypassed with certain payloads that manipulate file paths using `..` (parent directory) sequences. Attackers could potentially access restricted files if they are able to exploit this flaw, although the difficulty is high. This primarily impacts users relying on Gradio’s blocklist or directory access validation, particularly when handling file uploads. Users are advised to upgrade to `gradio>=5.0` to address this issue. As a workaround, users can manually sanitize and normalize file paths in their Gradio deployment before passing them to the `is_in_or_equal` function. Ensuring that all file paths are properly resolved and absolute can help mitigate the bypass vulnerabilities caused by the improper handling of `..` sequences or malformed paths.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47164","reference_id":"","reference_type":"","scores":[{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42206","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47164"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/08b51590163b306fd874f543f6fcaf23ac7d2646","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/08b51590163b306fd874f543f6fcaf23ac7d2646"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-77xq-6g77-h274","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:24:39Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-77xq-6g77-h274"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-213.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-213.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47164","reference_id":"CVE-2024-47164","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47164"},{"reference_url":"https://github.com/advisories/GHSA-77xq-6g77-h274","reference_id":"GHSA-77xq-6g77-h274","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-77xq-6g77-h274"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42589?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zgc3-regn-3ubp"},{"vulnerability":"VCID-zgd4-q6ss-g3a6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47164","GHSA-77xq-6g77-h274","PYSEC-2024-213"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dugv-7fyw-dke5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/275896?format=json","vulnerability_id":"VCID-ebmj-b24k-dkbb","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-8021","reference_id":"","reference_type":"","scores":[{"value":"0.02447","scoring_system":"epss","scoring_elements":"0.85449","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-8021"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://huntr.com/bounties/adc23067-ec04-47ef-9265-afd452071888","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:11:00Z/"}],"url":"https://huntr.com/bounties/adc23067-ec04-47ef-9265-afd452071888"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8021","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8021"},{"reference_url":"https://github.com/advisories/GHSA-7v2w-h4gh-w5cv","reference_id":"GHSA-7v2w-h4gh-w5cv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7v2w-h4gh-w5cv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42573?format=json","purl":"pkg:pypi/gradio@4.38.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-r5mb-vhku-5bbr"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.38.0"}],"aliases":["CVE-2024-8021","GHSA-7v2w-h4gh-w5cv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ebmj-b24k-dkbb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9236?format=json","vulnerability_id":"VCID-ec3r-7thk-mbhr","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **race condition** in the `update_root_in_config` function, allowing an attacker to modify the `root` URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet, where malicious actors could exploit this race condition. Users are advised to upgrade to `gradio>=5` to address this issue. There are no known workarounds for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47870","reference_id":"","reference_type":"","scores":[{"value":"0.00192","scoring_system":"epss","scoring_elements":"0.4092","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47870"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-xh2x-3mrm-fwqm","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-11T15:16:16Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-xh2x-3mrm-fwqm"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-218.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-218.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47870","reference_id":"CVE-2024-47870","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47870"},{"reference_url":"https://github.com/advisories/GHSA-xh2x-3mrm-fwqm","reference_id":"GHSA-xh2x-3mrm-fwqm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xh2x-3mrm-fwqm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42589?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zgc3-regn-3ubp"},{"vulnerability":"VCID-zgd4-q6ss-g3a6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47870","GHSA-xh2x-3mrm-fwqm","PYSEC-2024-218"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ec3r-7thk-mbhr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19872?format=json","vulnerability_id":"VCID-fcry-haph-rkgh","summary":"Duplicate Advisory: Gradio Local File Inclusion vulnerability\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-m842-4qm8-7gpq. This link is maintained to preserve external references.\n\n## Original Description\ngradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the `/queue/join` endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server.","references":[{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7"},{"reference_url":"https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1728","reference_id":"CVE-2024-1728","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1728"},{"reference_url":"https://github.com/advisories/GHSA-3f95-mxq2-2f63","reference_id":"GHSA-3f95-mxq2-2f63","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3f95-mxq2-2f63"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39837?format=json","purl":"pkg:pypi/gradio@4.19.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.19.2"}],"aliases":["GHSA-3f95-mxq2-2f63"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fcry-haph-rkgh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9409?format=json","vulnerability_id":"VCID-fjuj-9xc6-bkac","summary":"Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space. This issue has been patched in version 5.31.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-48889","reference_id":"","reference_type":"","scores":[{"value":"0.01469","scoring_system":"epss","scoring_elements":"0.81229","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-48889"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-8jw3-6x8j-v96g","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-30T12:25:32Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-8jw3-6x8j-v96g"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48889","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48889"},{"reference_url":"https://github.com/advisories/GHSA-8jw3-6x8j-v96g","reference_id":"GHSA-8jw3-6x8j-v96g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8jw3-6x8j-v96g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44185?format=json","purl":"pkg:pypi/gradio@5.31.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-kt73-gz4z-6faf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.31.0"}],"aliases":["CVE-2025-48889","GHSA-8jw3-6x8j-v96g","PYSEC-2025-119"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fjuj-9xc6-bkac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19518?format=json","vulnerability_id":"VCID-ghvm-1968-qubu","summary":"Gradio apps vulnerable to timing attacks to guess password\n### Impact\nThis security policy is with regards to a timing attack that allows users of Gradio apps to potentially guess the password of password-protected Gradio apps. This relies on the fact that string comparisons in Python terminate early, as soon as there is a string mismatch. Because Gradio apps are, by default, not rate-limited, a user could brute-force millions of guesses to figure out the correct username and password.\n\n### Patches\nYes, the problem has been patched in Gradio version 4.19.2 or higher. We have no knowledge of this exploit being used against users of Gradio applications, but we encourage all users to upgrade to Gradio 4.19.2 or higher.\n\nFixed in: https://github.com/gradio-app/gradio/commit/e329f1fd38935213fe0e73962e8cbd5d3af6e87b","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1729","reference_id":"","reference_type":"","scores":[{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24073","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1729"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/e329f1fd38935213fe0e73962e8cbd5d3af6e87b","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-29T14:49:03Z/"}],"url":"https://github.com/gradio-app/gradio/commit/e329f1fd38935213fe0e73962e8cbd5d3af6e87b"},{"reference_url":"https://github.com/gradio-app/gradio/releases/tag/gradio%404.19.2","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/releases/tag/gradio%404.19.2"},{"reference_url":"https://huntr.com/bounties/f6a10a8d-f538-4cb7-9bb2-85d9f5708124","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-29T14:49:03Z/"}],"url":"https://huntr.com/bounties/f6a10a8d-f538-4cb7-9bb2-85d9f5708124"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1729","reference_id":"CVE-2024-1729","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1729"},{"reference_url":"https://github.com/advisories/GHSA-hmx6-r76c-85g9","reference_id":"GHSA-hmx6-r76c-85g9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hmx6-r76c-85g9"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-hmx6-r76c-85g9","reference_id":"GHSA-hmx6-r76c-85g9","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-hmx6-r76c-85g9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39837?format=json","purl":"pkg:pypi/gradio@4.19.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.19.2"}],"aliases":["CVE-2024-1729","GHSA-hmx6-r76c-85g9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ghvm-1968-qubu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/267578?format=json","vulnerability_id":"VCID-ghyh-u1nb-nygf","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4325","reference_id":"","reference_type":"","scores":[{"value":"0.65093","scoring_system":"epss","scoring_elements":"0.98498","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4325"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/pull/8301","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/pull/8301"},{"reference_url":"https://huntr.com/bounties/b34f084b-7d14-4f00-bc10-048a3a5aaf88","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-06T19:32:08Z/"}],"url":"https://huntr.com/bounties/b34f084b-7d14-4f00-bc10-048a3a5aaf88"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4325","reference_id":"CVE-2024-4325","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4325"},{"reference_url":"https://github.com/advisories/GHSA-973g-55hp-3frw","reference_id":"GHSA-973g-55hp-3frw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-973g-55hp-3frw"}],"fixed_packages":[],"aliases":["CVE-2024-4325","GHSA-973g-55hp-3frw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ghyh-u1nb-nygf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9556?format=json","vulnerability_id":"VCID-gs22-farz-afdd","summary":"Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28415.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28415.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28415","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02218","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28415"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/dfee0da06d0aa94b3c2684131e7898d5d5c1911e","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/dfee0da06d0aa94b3c2684131e7898d5d5c1911e"},{"reference_url":"https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:55:30Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443449","reference_id":"2443449","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443449"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28415","reference_id":"CVE-2026-28415","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28415"},{"reference_url":"https://github.com/advisories/GHSA-pfjf-5gxr-995x","reference_id":"GHSA-pfjf-5gxr-995x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pfjf-5gxr-995x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47202?format=json","purl":"pkg:pypi/gradio@6.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@6.6.0"}],"aliases":["CVE-2026-28415","GHSA-pfjf-5gxr-995x","PYSEC-2026-65"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gs22-farz-afdd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9234?format=json","vulnerability_id":"VCID-gyvv-u98g-6keb","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio's `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47871","reference_id":"","reference_type":"","scores":[{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24227","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47871"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:19:13Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-219.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-219.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47871","reference_id":"CVE-2024-47871","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47871"},{"reference_url":"https://github.com/advisories/GHSA-279j-x4gx-hfrh","reference_id":"GHSA-279j-x4gx-hfrh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-279j-x4gx-hfrh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42589?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zgc3-regn-3ubp"},{"vulnerability":"VCID-zgd4-q6ss-g3a6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47871","GHSA-279j-x4gx-hfrh","PYSEC-2024-219"],"risk_score":4.1,"exploitability":"0.5","weighted_severity":"8.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gyvv-u98g-6keb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9295?format=json","vulnerability_id":"VCID-hhx7-n4cb-qbcc","summary":"Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path. This vulnerability arises due to the lack of case normalization in the file path validation logic. On case-insensitive file systems, such as those used by Windows and macOS, this flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected. This issue can lead to unauthorized data access, exposing sensitive information and undermining the integrity of Gradio's security model. Given Gradio's popularity for building web applications, particularly in machine learning and AI, this vulnerability may pose a substantial threat if exploited in production environments. This issue has been addressed in release version 5.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-23042","reference_id":"","reference_type":"","scores":[{"value":"0.00099","scoring_system":"epss","scoring_elements":"0.2731","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-23042"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/6b63fdec441b5c9bf910f910a2505d8defbb6bf8","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/6b63fdec441b5c9bf910f910a2505d8defbb6bf8"},{"reference_url":"https://github.com/gradio-app/gradio/releases/tag/gradio%405.11.0","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/releases/tag/gradio%405.11.0"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-j2jg-fq62-7c3h","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-15T14:18:00Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-j2jg-fq62-7c3h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23042","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23042"},{"reference_url":"https://github.com/advisories/GHSA-j2jg-fq62-7c3h","reference_id":"GHSA-j2jg-fq62-7c3h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j2jg-fq62-7c3h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43228?format=json","purl":"pkg:pypi/gradio@5.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zgd4-q6ss-g3a6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.6.0"},{"url":"http://public2.vulnerablecode.io/api/packages/47127?format=json","purl":"pkg:pypi/gradio@5.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zgd4-q6ss-g3a6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.11.0"}],"aliases":["CVE-2025-23042","GHSA-j2jg-fq62-7c3h","PYSEC-2025-118"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hhx7-n4cb-qbcc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19772?format=json","vulnerability_id":"VCID-hhz7-44uh-yucs","summary":"Gradio's CI vulnerable to Command Injection\nPreviously, it was possible to exfiltrate secrets in Gradio's CI, but this is now fixed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1540","reference_id":"","reference_type":"","scores":[{"value":"0.00526","scoring_system":"epss","scoring_elements":"0.67315","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1540"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:49:09Z/"}],"url":"https://github.com/gradio-app/gradio/commit/d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28"},{"reference_url":"https://huntr.com/bounties/0e39e974-9a66-476f-91f5-3f37abb03d77","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:49:09Z/"}],"url":"https://huntr.com/bounties/0e39e974-9a66-476f-91f5-3f37abb03d77"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1540","reference_id":"CVE-2024-1540","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1540"},{"reference_url":"https://github.com/advisories/GHSA-xcgp-r7r8-2hc9","reference_id":"GHSA-xcgp-r7r8-2hc9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xcgp-r7r8-2hc9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39834?format=json","purl":"pkg:pypi/gradio@4.18.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-38nv-9rjy-2bfp"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fcry-haph-rkgh"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghvm-1968-qubu"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kmrx-ftzg-5qe7"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.18.0"}],"aliases":["CVE-2024-1540","GHSA-xcgp-r7r8-2hc9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hhz7-44uh-yucs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/245591?format=json","vulnerability_id":"VCID-kmrx-ftzg-5qe7","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1728","reference_id":"","reference_type":"","scores":[{"value":"0.85087","scoring_system":"epss","scoring_elements":"0.99367","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1728"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-15T18:41:26Z/"}],"url":"https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7"},{"reference_url":"https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-15T18:41:26Z/"}],"url":"https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1728","reference_id":"CVE-2024-1728","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1728"},{"reference_url":"https://github.com/advisories/GHSA-m842-4qm8-7gpq","reference_id":"GHSA-m842-4qm8-7gpq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m842-4qm8-7gpq"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-m842-4qm8-7gpq","reference_id":"GHSA-m842-4qm8-7gpq","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-m842-4qm8-7gpq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39837?format=json","purl":"pkg:pypi/gradio@4.19.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.19.2"}],"aliases":["CVE-2024-1728","GHSA-m842-4qm8-7gpq"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kmrx-ftzg-5qe7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8981?format=json","vulnerability_id":"VCID-mrwe-sxue-pbcg","summary":"Command Injection in GitHub repository gradio-app/gradio prior to main.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6572","reference_id":"","reference_type":"","scores":[{"value":"0.02454","scoring_system":"epss","scoring_elements":"0.85472","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6572"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/5b5af1899dd98d63e1f9b48a93601c2db1f56520","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-22T17:40:43Z/"}],"url":"https://github.com/gradio-app/gradio/commit/5b5af1899dd98d63e1f9b48a93601c2db1f56520"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-255.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-255.yaml"},{"reference_url":"https://huntr.com/bounties/21d2ff0c-d43a-4afd-bb4d-049ee8da5b5c","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-22T17:40:43Z/"}],"url":"https://huntr.com/bounties/21d2ff0c-d43a-4afd-bb4d-049ee8da5b5c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6572","reference_id":"CVE-2023-6572","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6572"},{"reference_url":"https://github.com/advisories/GHSA-gqvf-3hgp-5hxv","reference_id":"GHSA-gqvf-3hgp-5hxv","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gqvf-3hgp-5hxv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37270?format=json","purl":"pkg:pypi/gradio@4.14.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-38nv-9rjy-2bfp"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8bv8-xgvg-6kf9"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fcry-haph-rkgh"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghvm-1968-qubu"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-hhz7-44uh-yucs"},{"vulnerability":"VCID-kmrx-ftzg-5qe7"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.14.0"}],"aliases":["CVE-2023-6572","GHSA-gqvf-3hgp-5hxv","PYSEC-2023-255"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mrwe-sxue-pbcg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8345?format=json","vulnerability_id":"VCID-r4jn-wcux-qqd7","summary":"`gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. The problem has been patched as of `2.8.11`, which escapes the saved csv with single quotes. As a workaround, avoid opening csv files generated by `gradio` with Excel or similar spreadsheet programs.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24770","reference_id":"","reference_type":"","scores":[{"value":"0.00591","scoring_system":"epss","scoring_elements":"0.69548","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24770"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/80fea89117358ee105973453fdc402398ae20239","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:02Z/"}],"url":"https://github.com/gradio-app/gradio/commit/80fea89117358ee105973453fdc402398ae20239"},{"reference_url":"https://github.com/gradio-app/gradio/pull/817","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:02Z/"}],"url":"https://github.com/gradio-app/gradio/pull/817"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-f8xq-q7px-wg8c","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:02Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-f8xq-q7px-wg8c"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2022-229.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2022-229.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24770","reference_id":"CVE-2022-24770","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24770"},{"reference_url":"https://github.com/advisories/GHSA-f8xq-q7px-wg8c","reference_id":"GHSA-f8xq-q7px-wg8c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f8xq-q7px-wg8c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/25859?format=json","purl":"pkg:pypi/gradio@2.8.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-38nv-9rjy-2bfp"},{"vulnerability":"VCID-4v1z-hd63-4fc6"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-83yw-mt71-tyeq"},{"vulnerability":"VCID-8bv8-xgvg-6kf9"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-aue3-ymt4-nqen"},{"vulnerability":"VCID-c7fg-xz7c-fyhg"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fcry-haph-rkgh"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghvm-1968-qubu"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-hhz7-44uh-yucs"},{"vulnerability":"VCID-kmrx-ftzg-5qe7"},{"vulnerability":"VCID-mrwe-sxue-pbcg"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-u38g-qy2t-67h2"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-xffe-brwp-6yea"},{"vulnerability":"VCID-z72y-7um8-p3dj"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@2.8.11"}],"aliases":["CVE-2022-24770","GHSA-f8xq-q7px-wg8c","PYSEC-2022-229"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r4jn-wcux-qqd7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9228?format=json","vulnerability_id":"VCID-rdck-p2jh-cfbz","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes \"null\" as a valid origin. This allows attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin, potentially leading to data theft, such as user authentication tokens or uploaded files. This impacts users running Gradio locally, especially those using basic authentication. Users are advised to upgrade to `gradio>=5.0` to address this issue. As a workaround, users can manually modify the `localhost_aliases` list in their local Gradio deployment to exclude \"null\" as a valid origin. By removing this value, the Gradio server will no longer accept requests from sandboxed iframes or sources with a null origin, mitigating the potential for exploitation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47165","reference_id":"","reference_type":"","scores":[{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37669","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47165"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-89v2-pqfv-c5r9","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:25:38Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-89v2-pqfv-c5r9"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-214.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-214.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47165","reference_id":"CVE-2024-47165","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47165"},{"reference_url":"https://github.com/advisories/GHSA-89v2-pqfv-c5r9","reference_id":"GHSA-89v2-pqfv-c5r9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-89v2-pqfv-c5r9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42589?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zgc3-regn-3ubp"},{"vulnerability":"VCID-zgd4-q6ss-g3a6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47165","GHSA-89v2-pqfv-c5r9","PYSEC-2024-214"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rdck-p2jh-cfbz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9235?format=json","vulnerability_id":"VCID-reuv-7se1-pubz","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **Cross-Site Scripting (XSS)** on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript, or SVG files containing malicious scripts. When other users download or view these files, the scripts will execute in their browser, allowing attackers to perform unauthorized actions or steal sensitive information from their sessions. This impacts any Gradio server that allows file uploads, particularly those using components that process or display user-uploaded files. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can restrict the types of files that can be uploaded to the Gradio server by limiting uploads to non-executable file types such as images or text. Additionally, developers can implement server-side validation to sanitize uploaded files, ensuring that HTML, JavaScript, and SVG files are properly handled or rejected before being stored or displayed to users.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47872","reference_id":"","reference_type":"","scores":[{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48446","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47872"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-gvv6-33j7-884g","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:19:51Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-gvv6-33j7-884g"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-220.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-220.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47872","reference_id":"CVE-2024-47872","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47872"},{"reference_url":"https://github.com/advisories/GHSA-gvv6-33j7-884g","reference_id":"GHSA-gvv6-33j7-884g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gvv6-33j7-884g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42589?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zgc3-regn-3ubp"},{"vulnerability":"VCID-zgd4-q6ss-g3a6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47872","GHSA-gvv6-33j7-884g","PYSEC-2024-220"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-reuv-7se1-pubz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/341164?format=json","vulnerability_id":"VCID-rkr6-ssp6-afdt","summary":"Gradio's dropdown component pre-process step does not limit the values to those in the dropdown list","references":[{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/advisories/GHSA-26jh-r8g2-6fpr","reference_id":"GHSA-26jh-r8g2-6fpr","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-26jh-r8g2-6fpr"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-26jh-r8g2-6fpr","reference_id":"GHSA-26jh-r8g2-6fpr","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-26jh-r8g2-6fpr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42589?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zgc3-regn-3ubp"},{"vulnerability":"VCID-zgd4-q6ss-g3a6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["GHSA-26jh-r8g2-6fpr"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rkr6-ssp6-afdt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9119?format=json","vulnerability_id":"VCID-ry9e-qctr-7fbe","summary":"Gradio before 4.20 allows credential leakage on Windows.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34510","reference_id":"","reference_type":"","scores":[{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.25958","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34510"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-29T14:51:27Z/"}],"url":"https://github.com/gradio-app/gradio/"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-255.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-255.yaml"},{"reference_url":"https://www.gradio.app/changelog#4-20-0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-29T14:51:27Z/"}],"url":"https://www.gradio.app/changelog#4-20-0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34510","reference_id":"CVE-2024-34510","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34510"},{"reference_url":"https://github.com/advisories/GHSA-rvfh-h6c7-fc3c","reference_id":"GHSA-rvfh-h6c7-fc3c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rvfh-h6c7-fc3c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39838?format=json","purl":"pkg:pypi/gradio@4.20.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.20.0"}],"aliases":["CVE-2024-34510","GHSA-rvfh-h6c7-fc3c","PYSEC-2024-255"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ry9e-qctr-7fbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19909?format=json","vulnerability_id":"VCID-u38g-qy2t-67h2","summary":"gradio Server-Side Request Forgery vulnerability\nAn SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1183","reference_id":"","reference_type":"","scores":[{"value":"0.55048","scoring_system":"epss","scoring_elements":"0.98096","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1183"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/2ad3d9e7ec6c8eeea59774265b44f11df7394bb4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T18:25:36Z/"}],"url":"https://github.com/gradio-app/gradio/commit/2ad3d9e7ec6c8eeea59774265b44f11df7394bb4"},{"reference_url":"https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055"},{"reference_url":"https://huntr.com/bounties/103434f9-87d2-42ea-9907-194a3c25007c","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T18:25:36Z/"}],"url":"https://huntr.com/bounties/103434f9-87d2-42ea-9907-194a3c25007c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1183","reference_id":"CVE-2024-1183","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1183"},{"reference_url":"https://github.com/advisories/GHSA-qh6x-j82h-vpf9","reference_id":"GHSA-qh6x-j82h-vpf9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qh6x-j82h-vpf9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37266?format=json","purl":"pkg:pypi/gradio@4.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-38nv-9rjy-2bfp"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8bv8-xgvg-6kf9"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-aue3-ymt4-nqen"},{"vulnerability":"VCID-c7fg-xz7c-fyhg"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fcry-haph-rkgh"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghvm-1968-qubu"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-hhz7-44uh-yucs"},{"vulnerability":"VCID-kmrx-ftzg-5qe7"},{"vulnerability":"VCID-mrwe-sxue-pbcg"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-xffe-brwp-6yea"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.10.0"}],"aliases":["CVE-2024-1183","GHSA-qh6x-j82h-vpf9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u38g-qy2t-67h2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/268141?format=json","vulnerability_id":"VCID-u4rh-huaj-7bf4","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4940","reference_id":"","reference_type":"","scores":[{"value":"0.07236","scoring_system":"epss","scoring_elements":"0.91745","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4940"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://huntr.com/bounties/35aaea93-6895-4f03-9c1b-cd992665aa60","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-24T14:09:04Z/"}],"url":"https://huntr.com/bounties/35aaea93-6895-4f03-9c1b-cd992665aa60"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4940","reference_id":"CVE-2024-4940","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4940"},{"reference_url":"https://github.com/advisories/GHSA-g6c9-f4xm-9j4x","reference_id":"GHSA-g6c9-f4xm-9j4x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g6c9-f4xm-9j4x"}],"fixed_packages":[],"aliases":["CVE-2024-4940","GHSA-g6c9-f4xm-9j4x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u4rh-huaj-7bf4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9233?format=json","vulnerability_id":"VCID-vad2-ydnk-nkgs","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature.  Any users utilizing the Gradio server's sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn't been tampered with.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47867","reference_id":"","reference_type":"","scores":[{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44787","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47867"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:06:22Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-216.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-216.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47867","reference_id":"CVE-2024-47867","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47867"},{"reference_url":"https://github.com/advisories/GHSA-8c87-gvhj-xm8m","reference_id":"GHSA-8c87-gvhj-xm8m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8c87-gvhj-xm8m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42589?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zgc3-regn-3ubp"},{"vulnerability":"VCID-zgd4-q6ss-g3a6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47867","GHSA-8c87-gvhj-xm8m","PYSEC-2024-216"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vad2-ydnk-nkgs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9225?format=json","vulnerability_id":"VCID-w8ua-mp21-v3cv","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **one-level read path traversal** in the `/custom_component` endpoint. Attackers can exploit this flaw to access and leak source code from custom Gradio components by manipulating the file path in the request. Although the traversal is limited to a single directory level, it could expose proprietary or sensitive code that developers intended to keep private. This impacts users who have developed custom Gradio components and are hosting them on publicly accessible servers. Users are advised to upgrade to `gradio>=4.44` to address this issue. As a workaround, developers can sanitize the file paths and ensure that components are not stored in publicly accessible directories.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47166","reference_id":"","reference_type":"","scores":[{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47937","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47166"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-37qc-qgx6-9xjv","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:26:33Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-37qc-qgx6-9xjv"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-197.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-197.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47166","reference_id":"CVE-2024-47166","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47166"},{"reference_url":"https://github.com/advisories/GHSA-37qc-qgx6-9xjv","reference_id":"GHSA-37qc-qgx6-9xjv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-37qc-qgx6-9xjv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42580?format=json","purl":"pkg:pypi/gradio@4.44.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-r5mb-vhku-5bbr"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-x7p6-gazz-z7gz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.44.0"}],"aliases":["CVE-2024-47166","GHSA-37qc-qgx6-9xjv","PYSEC-2024-197"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w8ua-mp21-v3cv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/276775?format=json","vulnerability_id":"VCID-x7p6-gazz-z7gz","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-8966","reference_id":"","reference_type":"","scores":[{"value":"0.0029","scoring_system":"epss","scoring_elements":"0.52642","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-8966"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/f1718c47137f9c60240da7afe5e3290aa0f1cb47","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/f1718c47137f9c60240da7afe5e3290aa0f1cb47"},{"reference_url":"https://huntr.com/bounties/7b5932bb-58d1-4e71-b85c-43dc40522ff2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T15:50:36Z/"}],"url":"https://huntr.com/bounties/7b5932bb-58d1-4e71-b85c-43dc40522ff2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8966","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8966"},{"reference_url":"https://github.com/advisories/GHSA-5cpq-9538-jm2j","reference_id":"GHSA-5cpq-9538-jm2j","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5cpq-9538-jm2j"}],"fixed_packages":[],"aliases":["CVE-2024-8966","GHSA-5cpq-9538-jm2j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x7p6-gazz-z7gz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19908?format=json","vulnerability_id":"VCID-xffe-brwp-6yea","summary":"gradio vulnerable to Path Traversal\nAn issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1561","reference_id":"","reference_type":"","scores":[{"value":"0.93426","scoring_system":"epss","scoring_elements":"0.99824","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1561"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:06:47Z/"}],"url":"https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2"},{"reference_url":"https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:06:47Z/"}],"url":"https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338"},{"reference_url":"https://www.gradio.app/changelog#4-13-0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:06:47Z/"}],"url":"https://www.gradio.app/changelog#4-13-0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1561","reference_id":"CVE-2024-1561","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1561"},{"reference_url":"https://github.com/advisories/GHSA-g9cj-cfpp-4g2x","reference_id":"GHSA-g9cj-cfpp-4g2x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g9cj-cfpp-4g2x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37269?format=json","purl":"pkg:pypi/gradio@4.13.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-38nv-9rjy-2bfp"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8bv8-xgvg-6kf9"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fcry-haph-rkgh"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghvm-1968-qubu"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-hhz7-44uh-yucs"},{"vulnerability":"VCID-kmrx-ftzg-5qe7"},{"vulnerability":"VCID-mrwe-sxue-pbcg"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.13.0"}],"aliases":["CVE-2024-1561","GHSA-g9cj-cfpp-4g2x"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xffe-brwp-6yea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8212?format=json","vulnerability_id":"VCID-yx69-h7t2-tbe7","summary":"Gradio is an open source framework for building interactive machine learning models and demos. In versions prior to 2.5.0 there is a vulnerability that affects anyone who creates and publicly shares Gradio interfaces. File paths are not restricted and users who receive a Gradio link can access any files on the host computer if they know the file names or file paths. This is limited only by the host operating system. Paths are opened in read only mode. The problem has been patched in gradio 2.5.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43831","reference_id":"","reference_type":"","scores":[{"value":"0.30342","scoring_system":"epss","scoring_elements":"0.96776","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43831"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/41bd3645bdb616e1248b2167ca83636a2653f781","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/41bd3645bdb616e1248b2167ca83636a2653f781"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-rhq2-3vr9-6mcr","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-rhq2-3vr9-6mcr"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2021-873.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2021-873.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43831","reference_id":"CVE-2021-43831","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43831"},{"reference_url":"https://github.com/advisories/GHSA-rhq2-3vr9-6mcr","reference_id":"GHSA-rhq2-3vr9-6mcr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rhq2-3vr9-6mcr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24604?format=json","purl":"pkg:pypi/gradio@2.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-38nv-9rjy-2bfp"},{"vulnerability":"VCID-4v1z-hd63-4fc6"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-83yw-mt71-tyeq"},{"vulnerability":"VCID-8bv8-xgvg-6kf9"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-aue3-ymt4-nqen"},{"vulnerability":"VCID-c7fg-xz7c-fyhg"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fcry-haph-rkgh"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghvm-1968-qubu"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-hhz7-44uh-yucs"},{"vulnerability":"VCID-kmrx-ftzg-5qe7"},{"vulnerability":"VCID-mrwe-sxue-pbcg"},{"vulnerability":"VCID-r4jn-wcux-qqd7"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-u38g-qy2t-67h2"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-xffe-brwp-6yea"},{"vulnerability":"VCID-z72y-7um8-p3dj"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@2.5.0"}],"aliases":["CVE-2021-43831","GHSA-rhq2-3vr9-6mcr","PYSEC-2021-873"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yx69-h7t2-tbe7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9054?format=json","vulnerability_id":"VCID-z72y-7um8-p3dj","summary":"A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-0964","reference_id":"","reference_type":"","scores":[{"value":"0.00147","scoring_system":"epss","scoring_elements":"0.34868","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-0964"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/d76bcaaaf0734aaf49a680f94ea9d4d22a602e70","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"9.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-06T18:33:00Z/"}],"url":"https://github.com/gradio-app/gradio/commit/d76bcaaaf0734aaf49a680f94ea9d4d22a602e70"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-261.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-261.yaml"},{"reference_url":"https://huntr.com/bounties/25e25501-5918-429c-8541-88832dfd3741","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"9.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-06T18:33:00Z/"}],"url":"https://huntr.com/bounties/25e25501-5918-429c-8541-88832dfd3741"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0964","reference_id":"CVE-2024-0964","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0964"},{"reference_url":"https://github.com/advisories/GHSA-f3h9-8phc-6gvh","reference_id":"GHSA-f3h9-8phc-6gvh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f3h9-8phc-6gvh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37264?format=json","purl":"pkg:pypi/gradio@4.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-135r-znhp-5yge"},{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-2968-zwkj-tka2"},{"vulnerability":"VCID-38nv-9rjy-2bfp"},{"vulnerability":"VCID-77wy-te8b-9qgc"},{"vulnerability":"VCID-7my4-fvg8-kqhw"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8bv8-xgvg-6kf9"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-aue3-ymt4-nqen"},{"vulnerability":"VCID-c7fg-xz7c-fyhg"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ebmj-b24k-dkbb"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fcry-haph-rkgh"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-ghvm-1968-qubu"},{"vulnerability":"VCID-ghyh-u1nb-nygf"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-hhz7-44uh-yucs"},{"vulnerability":"VCID-kmrx-ftzg-5qe7"},{"vulnerability":"VCID-mrwe-sxue-pbcg"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-ry9e-qctr-7fbe"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-u38g-qy2t-67h2"},{"vulnerability":"VCID-u4rh-huaj-7bf4"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-w8ua-mp21-v3cv"},{"vulnerability":"VCID-x7p6-gazz-z7gz"},{"vulnerability":"VCID-xffe-brwp-6yea"},{"vulnerability":"VCID-zycs-zpma-xqey"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.9.0"}],"aliases":["CVE-2024-0964","GHSA-f3h9-8phc-6gvh","PYSEC-2024-261"],"risk_score":4.2,"exploitability":"0.5","weighted_severity":"8.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z72y-7um8-p3dj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9230?format=json","vulnerability_id":"VCID-zycs-zpma-xqey","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves data exposure due to the enable_monitoring flag not properly disabling monitoring when set to False. Even when monitoring is supposedly disabled, an attacker or unauthorized user can still access the monitoring dashboard by directly requesting the /monitoring endpoint. This means that sensitive application analytics may still be exposed, particularly in environments where monitoring is expected to be disabled. Users who set enable_monitoring=False to prevent unauthorized access to monitoring data are impacted. Users are advised to upgrade to gradio>=4.44 to address this issue. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47168","reference_id":"","reference_type":"","scores":[{"value":"0.00158","scoring_system":"epss","scoring_elements":"0.36447","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47168"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-hm3c-93pg-4cxw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:28:11Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-hm3c-93pg-4cxw"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-198.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-198.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47168","reference_id":"CVE-2024-47168","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47168"},{"reference_url":"https://github.com/advisories/GHSA-hm3c-93pg-4cxw","reference_id":"GHSA-hm3c-93pg-4cxw","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hm3c-93pg-4cxw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42580?format=json","purl":"pkg:pypi/gradio@4.44.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17vf-h543-33ch"},{"vulnerability":"VCID-7qyj-s1nm-ekay"},{"vulnerability":"VCID-8n3u-687v-2feg"},{"vulnerability":"VCID-a3xu-7cqy-gyhd"},{"vulnerability":"VCID-cbe3-n9tq-6yas"},{"vulnerability":"VCID-cdyx-gjxu-zbgk"},{"vulnerability":"VCID-dugv-7fyw-dke5"},{"vulnerability":"VCID-ec3r-7thk-mbhr"},{"vulnerability":"VCID-fjuj-9xc6-bkac"},{"vulnerability":"VCID-gs22-farz-afdd"},{"vulnerability":"VCID-gyvv-u98g-6keb"},{"vulnerability":"VCID-hhx7-n4cb-qbcc"},{"vulnerability":"VCID-kt73-gz4z-6faf"},{"vulnerability":"VCID-r5mb-vhku-5bbr"},{"vulnerability":"VCID-rdck-p2jh-cfbz"},{"vulnerability":"VCID-reuv-7se1-pubz"},{"vulnerability":"VCID-rkr6-ssp6-afdt"},{"vulnerability":"VCID-tcqh-cmqg-bqfq"},{"vulnerability":"VCID-vad2-ydnk-nkgs"},{"vulnerability":"VCID-x7p6-gazz-z7gz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.44.0"}],"aliases":["CVE-2024-47168","GHSA-hm3c-93pg-4cxw","PYSEC-2024-198"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zycs-zpma-xqey"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@0.9.9.7"}