{"url":"http://public2.vulnerablecode.io/api/packages/68244?format=json","purl":"pkg:pypi/gradio@0.9.2","type":"pypi","namespace":"","name":"gradio","version":"0.9.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.7.0","latest_non_vulnerable_version":"6.7.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57960?format=json","vulnerability_id":"VCID-11sa-8f5a-87f1","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **one-level read path traversal** in the `/custom_component` endpoint. Attackers can exploit this flaw to access and leak source code from custom Gradio components by manipulating the file path in the request. Although the traversal is limited to a single directory level, it could expose proprietary or sensitive code that developers intended to keep private. This impacts users who have developed custom Gradio components and are hosting them on publicly accessible servers. Users are advised to upgrade to `gradio>=4.44` to address this issue. As a workaround, developers can sanitize the file paths and ensure that components are not stored in publicly accessible directories.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47166","reference_id":"","reference_type":"","scores":[{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.48044","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.48182","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47166"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-197.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-197.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47166","reference_id":"CVE-2024-47166","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47166"},{"reference_url":"https://github.com/advisories/GHSA-37qc-qgx6-9xjv","reference_id":"GHSA-37qc-qgx6-9xjv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-37qc-qgx6-9xjv"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-37qc-qgx6-9xjv","reference_id":"GHSA-37qc-qgx6-9xjv","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:26:33Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-37qc-qgx6-9xjv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33793?format=json","purl":"pkg:pypi/gradio@4.44.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-evrn-yx94-abh8"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.44.0"}],"aliases":["CVE-2024-47166","GHSA-37qc-qgx6-9xjv","PYSEC-2024-197"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-11sa-8f5a-87f1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57570?format=json","vulnerability_id":"VCID-2kc2-mh1j-hbcc","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **race condition** in the `update_root_in_config` function, allowing an attacker to modify the `root` URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet, where malicious actors could exploit this race condition. Users are advised to upgrade to `gradio>=5` to address this issue. There are no known workarounds for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47870","reference_id":"","reference_type":"","scores":[{"value":"0.00192","scoring_system":"epss","scoring_elements":"0.4099","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00192","scoring_system":"epss","scoring_elements":"0.41157","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47870"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-218.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-218.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47870","reference_id":"CVE-2024-47870","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47870"},{"reference_url":"https://github.com/advisories/GHSA-xh2x-3mrm-fwqm","reference_id":"GHSA-xh2x-3mrm-fwqm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xh2x-3mrm-fwqm"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-xh2x-3mrm-fwqm","reference_id":"GHSA-xh2x-3mrm-fwqm","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-11T15:16:16Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-xh2x-3mrm-fwqm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33794?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jqwz-jr66-yqaz"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-rk1f-25hb-jbcv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-yztr-6wbj-jueb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47870","GHSA-xh2x-3mrm-fwqm","PYSEC-2024-218"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2kc2-mh1j-hbcc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/142544?format=json","vulnerability_id":"VCID-3hxd-n4m1-hqa1","summary":"Command Injection in GitHub repository gradio-app/gradio prior to main.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6572","reference_id":"","reference_type":"","scores":[{"value":"0.02454","scoring_system":"epss","scoring_elements":"0.85594","published_at":"2026-06-12T12:55:00Z"},{"value":"0.02454","scoring_system":"epss","scoring_elements":"0.85543","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6572"},{"reference_url":"https://github.com/advisories/GHSA-gqvf-3hgp-5hxv","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gqvf-3hgp-5hxv"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-255.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-255.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6572","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6572"},{"reference_url":"https://huntr.com/bounties/21d2ff0c-d43a-4afd-bb4d-049ee8da5b5c","reference_id":"21d2ff0c-d43a-4afd-bb4d-049ee8da5b5c","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-22T17:40:43Z/"}],"url":"https://huntr.com/bounties/21d2ff0c-d43a-4afd-bb4d-049ee8da5b5c"},{"reference_url":"https://github.com/gradio-app/gradio/commit/5b5af1899dd98d63e1f9b48a93601c2db1f56520","reference_id":"5b5af1899dd98d63e1f9b48a93601c2db1f56520","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-22T17:40:43Z/"}],"url":"https://github.com/gradio-app/gradio/commit/5b5af1899dd98d63e1f9b48a93601c2db1f56520"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81287?format=json","purl":"pkg:pypi/gradio@4.14.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-8ecf-wfxz-r7fj"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-bcf4-86rd-kfat"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-m8t2-4zrz-z3fh"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-q5rx-nz6x-8ka3"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-uy45-t1ck-tuha"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.14.0"}],"aliases":["CVE-2023-6572","GHSA-gqvf-3hgp-5hxv","PYSEC-2023-255"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3hxd-n4m1-hqa1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56253?format=json","vulnerability_id":"VCID-3vnm-khj6-9ybe","summary":"In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48052","reference_id":"","reference_type":"","scores":[{"value":"0.00125","scoring_system":"epss","scoring_elements":"0.31518","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00125","scoring_system":"epss","scoring_elements":"0.31326","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48052"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48052","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48052"},{"reference_url":"https://gist.github.com/AfterSnows/45ffc23797f9127e00755376cc610e12","reference_id":"45ffc23797f9127e00755376cc610e12","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:19:51Z/"}],"url":"https://gist.github.com/AfterSnows/45ffc23797f9127e00755376cc610e12"},{"reference_url":"https://rumbling-slice-eb0.notion.site/FULL-SSRF-in-gr-DownloadButton-in-gradio-app-gradio-870b21e0908b48cbafd914719ac1a4e6?pvs=4","reference_id":"FULL-SSRF-in-gr-DownloadButton-in-gradio-app-gradio-870b21e0908b48cbafd914719ac1a4e6?pvs=4","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-06T19:19:51Z/"}],"url":"https://rumbling-slice-eb0.notion.site/FULL-SSRF-in-gr-DownloadButton-in-gradio-app-gradio-870b21e0908b48cbafd914719ac1a4e6?pvs=4"},{"reference_url":"https://github.com/advisories/GHSA-3gf9-wv65-gwh9","reference_id":"GHSA-3gf9-wv65-gwh9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3gf9-wv65-gwh9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86122?format=json","purl":"pkg:pypi/gradio@4.43.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-evrn-yx94-abh8"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.43.0"}],"aliases":["CVE-2024-48052","GHSA-3gf9-wv65-gwh9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3vnm-khj6-9ybe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57886?format=json","vulnerability_id":"VCID-4z8e-1e5c-gbh1","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to the **bypass of directory traversal checks** within the `is_in_or_equal` function. This function, intended to check if a file resides within a given directory, can be bypassed with certain payloads that manipulate file paths using `..` (parent directory) sequences. Attackers could potentially access restricted files if they are able to exploit this flaw, although the difficulty is high. This primarily impacts users relying on Gradio’s blocklist or directory access validation, particularly when handling file uploads. Users are advised to upgrade to `gradio>=5.0` to address this issue. As a workaround, users can manually sanitize and normalize file paths in their Gradio deployment before passing them to the `is_in_or_equal` function. Ensuring that all file paths are properly resolved and absolute can help mitigate the bypass vulnerabilities caused by the improper handling of `..` sequences or malformed paths.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47164","reference_id":"","reference_type":"","scores":[{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.4245","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42286","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47164"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/08b51590163b306fd874f543f6fcaf23ac7d2646","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/08b51590163b306fd874f543f6fcaf23ac7d2646"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-213.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-213.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47164","reference_id":"CVE-2024-47164","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47164"},{"reference_url":"https://github.com/advisories/GHSA-77xq-6g77-h274","reference_id":"GHSA-77xq-6g77-h274","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-77xq-6g77-h274"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-77xq-6g77-h274","reference_id":"GHSA-77xq-6g77-h274","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:24:39Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-77xq-6g77-h274"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33794?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jqwz-jr66-yqaz"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-rk1f-25hb-jbcv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-yztr-6wbj-jueb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47164","GHSA-77xq-6g77-h274","PYSEC-2024-213"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4z8e-1e5c-gbh1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/129078?format=json","vulnerability_id":"VCID-55hz-6uty-ykap","summary":"Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users  are recommended to update to 3.19.1 or later where the FRP solution has been properly tested.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25823","reference_id":"","reference_type":"","scores":[{"value":"0.00408","scoring_system":"epss","scoring_elements":"0.61732","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00408","scoring_system":"epss","scoring_elements":"0.6163","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25823"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-16.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-16.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25823","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25823"},{"reference_url":"https://github.com/advisories/GHSA-3x5j-9vwr-8rr5","reference_id":"GHSA-3x5j-9vwr-8rr5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3x5j-9vwr-8rr5"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-3x5j-9vwr-8rr5","reference_id":"GHSA-3x5j-9vwr-8rr5","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:56:59Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-3x5j-9vwr-8rr5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74304?format=json","purl":"pkg:pypi/gradio@3.13.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3hxd-n4m1-hqa1"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7n76-hnnk-fke4"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-8ecf-wfxz-r7fj"},{"vulnerability":"VCID-8nw2-zc3r-43gy"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-bcf4-86rd-kfat"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-fgmy-t86e-7qhh"},{"vulnerability":"VCID-fy4u-yk22-eya1"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-m8t2-4zrz-z3fh"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-q5rx-nz6x-8ka3"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-tdaq-j7v4-x7h3"},{"vulnerability":"VCID-ts11-31jn-xqcz"},{"vulnerability":"VCID-uy45-t1ck-tuha"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@3.13.1"}],"aliases":["CVE-2023-25823","GHSA-3x5j-9vwr-8rr5","PYSEC-2023-16"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-55hz-6uty-ykap"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57535?format=json","vulnerability_id":"VCID-56ts-6khe-yub6","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **Server-Side Request Forgery (SSRF)** in the `/queue/join` endpoint. Gradio’s `async_save_url_to_cache` function allows attackers to force the Gradio server to send HTTP requests to user-controlled URLs. This could enable attackers to target internal servers or services within a local network and possibly exfiltrate data or cause unwanted internal requests. Additionally, the content from these URLs is stored locally, making it easier for attackers to upload potentially malicious files to the server. This impacts users deploying Gradio servers that use components like the Video component which involve URL fetching. Users are advised to upgrade to `gradio>=5` to address this issue.  As a workaround, users can disable or heavily restrict URL-based inputs in their Gradio applications to trusted domains only. Additionally, implementing stricter URL validation (such as allowinglist-based validation) and ensuring that local or internal network addresses cannot be requested via the `/queue/join` endpoint can help mitigate the risk of SSRF attacks.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47167","reference_id":"","reference_type":"","scores":[{"value":"0.00181","scoring_system":"epss","scoring_elements":"0.39523","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00181","scoring_system":"epss","scoring_elements":"0.39693","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47167"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-215.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-215.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47167","reference_id":"CVE-2024-47167","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47167"},{"reference_url":"https://github.com/advisories/GHSA-576c-3j53-r9jj","reference_id":"GHSA-576c-3j53-r9jj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-576c-3j53-r9jj"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-576c-3j53-r9jj","reference_id":"GHSA-576c-3j53-r9jj","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:26:59Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-576c-3j53-r9jj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33794?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jqwz-jr66-yqaz"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-rk1f-25hb-jbcv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-yztr-6wbj-jueb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47167","GHSA-576c-3j53-r9jj","PYSEC-2024-215"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-56ts-6khe-yub6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212268?format=json","vulnerability_id":"VCID-6qjh-ukrg-bbhn","summary":"Gradio's dropdown component pre-process step does not limit the values to those in the dropdown list","references":[{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/advisories/GHSA-26jh-r8g2-6fpr","reference_id":"GHSA-26jh-r8g2-6fpr","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-26jh-r8g2-6fpr"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-26jh-r8g2-6fpr","reference_id":"GHSA-26jh-r8g2-6fpr","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-26jh-r8g2-6fpr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33794?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jqwz-jr66-yqaz"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-rk1f-25hb-jbcv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-yztr-6wbj-jueb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["GHSA-26jh-r8g2-6fpr"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6qjh-ukrg-bbhn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34527?format=json","vulnerability_id":"VCID-7bun-hzzg-qfcm","summary":"An open redirect vulnerability exists in the latest version of gradio-app/gradio. The vulnerability allows an attacker to redirect users to a malicious website by URL encoding. This can be exploited by sending a crafted request to the application, which results in a 302 redirect to an attacker-controlled site.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-8021","reference_id":"","reference_type":"","scores":[{"value":"0.02555","scoring_system":"epss","scoring_elements":"0.85875","published_at":"2026-06-12T12:55:00Z"},{"value":"0.02555","scoring_system":"epss","scoring_elements":"0.85826","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-8021"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8021","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8021"},{"reference_url":"https://huntr.com/bounties/adc23067-ec04-47ef-9265-afd452071888","reference_id":"adc23067-ec04-47ef-9265-afd452071888","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:11:00Z/"}],"url":"https://huntr.com/bounties/adc23067-ec04-47ef-9265-afd452071888"},{"reference_url":"https://github.com/advisories/GHSA-7v2w-h4gh-w5cv","reference_id":"GHSA-7v2w-h4gh-w5cv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7v2w-h4gh-w5cv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86116?format=json","purl":"pkg:pypi/gradio@4.38.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-evrn-yx94-abh8"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.38.0"}],"aliases":["CVE-2024-8021","GHSA-7v2w-h4gh-w5cv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7bun-hzzg-qfcm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/131237?format=json","vulnerability_id":"VCID-7n76-hnnk-fke4","summary":"Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-51449","reference_id":"","reference_type":"","scores":[{"value":"0.81488","scoring_system":"epss","scoring_elements":"0.99201","published_at":"2026-06-11T12:55:00Z"},{"value":"0.81488","scoring_system":"epss","scoring_elements":"0.99204","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-51449"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-249.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-249.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-51449","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-51449"},{"reference_url":"https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76","reference_id":"1b9d4234d6c25ef250d882c7b90e1f4039ed2d76","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T21:07:15Z/"}],"url":"https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76"},{"reference_url":"https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055","reference_id":"7ba8c5da45b004edd12c0460be9222f5b5f5f055","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T21:07:15Z/"}],"url":"https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055"},{"reference_url":"https://github.com/advisories/GHSA-6qm2-wpxq-7qh2","reference_id":"GHSA-6qm2-wpxq-7qh2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6qm2-wpxq-7qh2"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2","reference_id":"GHSA-6qm2-wpxq-7qh2","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T21:07:15Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81372?format=json","purl":"pkg:pypi/gradio@4.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3hxd-n4m1-hqa1"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-8ecf-wfxz-r7fj"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-bcf4-86rd-kfat"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-fy4u-yk22-eya1"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-m8t2-4zrz-z3fh"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-q5rx-nz6x-8ka3"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-tdaq-j7v4-x7h3"},{"vulnerability":"VCID-uy45-t1ck-tuha"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.11.0"}],"aliases":["CVE-2023-51449","GHSA-6qm2-wpxq-7qh2","PYSEC-2023-249"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7n76-hnnk-fke4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47739?format=json","vulnerability_id":"VCID-7x2s-krau-t7ar","summary":"A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gradio/components/json_component.py`, where a user-controlled string is parsed as JSON. If the parsed JSON object contains a `path` key, the specified file is moved to a temporary directory, making it possible to retrieve it later via the `/file=..` endpoint. This issue is due to the `processing_utils.move_files_to_cache()` function traversing any object passed to it, looking for a dictionary with a `path` key, and then copying the specified file to a temporary directory. The vulnerability can be exploited by an attacker to read files on the remote system, posing a significant security risk.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4941","reference_id":"","reference_type":"","scores":[{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.7227","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.72187","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4941"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-184.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-184.yaml"},{"reference_url":"https://huntr.com/bounties/39889ce1-298d-4568-aecd-7ae40c2ca58e","reference_id":"39889ce1-298d-4568-aecd-7ae40c2ca58e","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T18:13:53Z/"}],"url":"https://huntr.com/bounties/39889ce1-298d-4568-aecd-7ae40c2ca58e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4941","reference_id":"CVE-2024-4941","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4941"},{"reference_url":"https://github.com/gradio-app/gradio/commit/ee1e2942e0a1ae84a08a05464e41c8108a03fa9c","reference_id":"ee1e2942e0a1ae84a08a05464e41c8108a03fa9c","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T18:13:53Z/"}],"url":"https://github.com/gradio-app/gradio/commit/ee1e2942e0a1ae84a08a05464e41c8108a03fa9c"},{"reference_url":"https://github.com/advisories/GHSA-6v6g-j5fq-hpvw","reference_id":"GHSA-6v6g-j5fq-hpvw","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6v6g-j5fq-hpvw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32027?format=json","purl":"pkg:pypi/gradio@4.31.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.31.3"},{"url":"http://public2.vulnerablecode.io/api/packages/83747?format=json","purl":"pkg:pypi/gradio@4.31.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.31.4"}],"aliases":["CVE-2024-4941","GHSA-6v6g-j5fq-hpvw","PYSEC-2024-184"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7x2s-krau-t7ar"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54332?format=json","vulnerability_id":"VCID-8ecf-wfxz-r7fj","summary":"A command injection vulnerability exists in the deploy+test-visual.yml workflow of the gradio-app/gradio repository, due to improper neutralization of special elements used in a command. This vulnerability allows attackers to execute unauthorized commands, potentially leading to unauthorized modification of the base repository or secrets exfiltration. The issue arises from the unsafe handling of GitHub context information within a `run` operation, where expressions inside `${{ }}` are evaluated and substituted before script execution. Remediation involves setting untrusted input values to intermediate environment variables to prevent direct influence on script generation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1540","reference_id":"","reference_type":"","scores":[{"value":"0.00526","scoring_system":"epss","scoring_elements":"0.67543","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00526","scoring_system":"epss","scoring_elements":"0.67452","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1540"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://huntr.com/bounties/0e39e974-9a66-476f-91f5-3f37abb03d77","reference_id":"0e39e974-9a66-476f-91f5-3f37abb03d77","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:49:09Z/"}],"url":"https://huntr.com/bounties/0e39e974-9a66-476f-91f5-3f37abb03d77"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1540","reference_id":"CVE-2024-1540","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1540"},{"reference_url":"https://github.com/gradio-app/gradio/commit/d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28","reference_id":"d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:49:09Z/"}],"url":"https://github.com/gradio-app/gradio/commit/d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28"},{"reference_url":"https://github.com/advisories/GHSA-xcgp-r7r8-2hc9","reference_id":"GHSA-xcgp-r7r8-2hc9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xcgp-r7r8-2hc9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30072?format=json","purl":"pkg:pypi/gradio@4.18.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-bcf4-86rd-kfat"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-m8t2-4zrz-z3fh"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-q5rx-nz6x-8ka3"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.18.0"}],"aliases":["CVE-2024-1540","GHSA-xcgp-r7r8-2hc9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8ecf-wfxz-r7fj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/141802?format=json","vulnerability_id":"VCID-8nw2-zc3r-43gy","summary":"Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34239","reference_id":"","reference_type":"","scores":[{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.53228","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.53101","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34239"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a"},{"reference_url":"https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a#diff-324a7165f5d5a8823a28b76f5653fa45f32c8144c82b2e528882c97c7eae534f","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a#diff-324a7165f5d5a8823a28b76f5653fa45f32c8144c82b2e528882c97c7eae534f"},{"reference_url":"https://github.com/gradio-app/gradio/commit/cd64130d54e678525774bbb200ef9c7166fa1543","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/cd64130d54e678525774bbb200ef9c7166fa1543"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-90.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-90.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34239","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34239"},{"reference_url":"https://github.com/gradio-app/gradio/pull/4370","reference_id":"4370","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T20:33:03Z/"}],"url":"https://github.com/gradio-app/gradio/pull/4370"},{"reference_url":"https://github.com/gradio-app/gradio/pull/4406","reference_id":"4406","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T20:33:03Z/"}],"url":"https://github.com/gradio-app/gradio/pull/4406"},{"reference_url":"https://github.com/advisories/GHSA-3qqg-pgqq-3695","reference_id":"GHSA-3qqg-pgqq-3695","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3qqg-pgqq-3695"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695","reference_id":"GHSA-3qqg-pgqq-3695","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T20:33:03Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76336?format=json","purl":"pkg:pypi/gradio@3.34.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3hxd-n4m1-hqa1"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7n76-hnnk-fke4"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-8ecf-wfxz-r7fj"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-bcf4-86rd-kfat"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-fgmy-t86e-7qhh"},{"vulnerability":"VCID-fy4u-yk22-eya1"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-m8t2-4zrz-z3fh"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-q5rx-nz6x-8ka3"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-tdaq-j7v4-x7h3"},{"vulnerability":"VCID-ts11-31jn-xqcz"},{"vulnerability":"VCID-uy45-t1ck-tuha"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@3.34.0"}],"aliases":["CVE-2023-34239","GHSA-3qqg-pgqq-3695","PYSEC-2023-90"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8nw2-zc3r-43gy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69197?format=json","vulnerability_id":"VCID-aey9-dexr-aqa8","summary":"Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28414","reference_id":"","reference_type":"","scores":[{"value":"0.04212","scoring_system":"epss","scoring_elements":"0.88993","published_at":"2026-06-11T12:55:00Z"},{"value":"0.04212","scoring_system":"epss","scoring_elements":"0.89031","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28414"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/6011b00d0154b85532fa901dd73cf8fa7d86fd04","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/6011b00d0154b85532fa901dd73cf8fa7d86fd04"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2026-64.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2026-64.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28414","reference_id":"CVE-2026-28414","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28414"},{"reference_url":"https://github.com/advisories/GHSA-39mp-8hj3-5c49","reference_id":"GHSA-39mp-8hj3-5c49","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-39mp-8hj3-5c49"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49","reference_id":"GHSA-39mp-8hj3-5c49","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T22:02:06Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40011?format=json","purl":"pkg:pypi/gradio@6.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@6.7.0"}],"aliases":["CVE-2026-28414","GHSA-39mp-8hj3-5c49","PYSEC-2026-64"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aey9-dexr-aqa8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11602?format=json","vulnerability_id":"VCID-ax7p-6kfu-97bb","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24770","reference_id":"","reference_type":"","scores":[{"value":"0.00591","scoring_system":"epss","scoring_elements":"0.69703","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00591","scoring_system":"epss","scoring_elements":"0.69793","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24770"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2022-229.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2022-229.yaml"},{"reference_url":"https://github.com/gradio-app/gradio/commit/80fea89117358ee105973453fdc402398ae20239","reference_id":"80fea89117358ee105973453fdc402398ae20239","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:02Z/"}],"url":"https://github.com/gradio-app/gradio/commit/80fea89117358ee105973453fdc402398ae20239"},{"reference_url":"https://github.com/gradio-app/gradio/pull/817","reference_id":"817","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:02Z/"}],"url":"https://github.com/gradio-app/gradio/pull/817"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24770","reference_id":"CVE-2022-24770","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24770"},{"reference_url":"https://github.com/advisories/GHSA-f8xq-q7px-wg8c","reference_id":"GHSA-f8xq-q7px-wg8c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f8xq-q7px-wg8c"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-f8xq-q7px-wg8c","reference_id":"GHSA-f8xq-q7px-wg8c","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:02Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-f8xq-q7px-wg8c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19804?format=json","purl":"pkg:pypi/gradio@2.8.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3hxd-n4m1-hqa1"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-55hz-6uty-ykap"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7n76-hnnk-fke4"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-8ecf-wfxz-r7fj"},{"vulnerability":"VCID-8nw2-zc3r-43gy"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-bcf4-86rd-kfat"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-fgmy-t86e-7qhh"},{"vulnerability":"VCID-fy4u-yk22-eya1"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-m8t2-4zrz-z3fh"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-q5rx-nz6x-8ka3"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-tdaq-j7v4-x7h3"},{"vulnerability":"VCID-ts11-31jn-xqcz"},{"vulnerability":"VCID-uy45-t1ck-tuha"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@2.8.11"}],"aliases":["CVE-2022-24770","GHSA-f8xq-q7px-wg8c","PYSEC-2022-229"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ax7p-6kfu-97bb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/211749?format=json","vulnerability_id":"VCID-bcf4-86rd-kfat","summary":"Duplicate Advisory: Gradio Local File Inclusion vulnerability","references":[{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1728","reference_id":"CVE-2024-1728","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1728"},{"reference_url":"https://github.com/advisories/GHSA-3f95-mxq2-2f63","reference_id":"GHSA-3f95-mxq2-2f63","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3f95-mxq2-2f63"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29272?format=json","purl":"pkg:pypi/gradio@4.19.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.19.2"}],"aliases":["GHSA-3f95-mxq2-2f63"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bcf4-86rd-kfat"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57828?format=json","vulnerability_id":"VCID-c3cb-pkt3-w7b9","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio's `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47871","reference_id":"","reference_type":"","scores":[{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24207","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24404","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47871"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-219.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-219.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47871","reference_id":"CVE-2024-47871","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47871"},{"reference_url":"https://github.com/advisories/GHSA-279j-x4gx-hfrh","reference_id":"GHSA-279j-x4gx-hfrh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-279j-x4gx-hfrh"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh","reference_id":"GHSA-279j-x4gx-hfrh","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:19:13Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33794?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jqwz-jr66-yqaz"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-rk1f-25hb-jbcv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-yztr-6wbj-jueb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47871","GHSA-279j-x4gx-hfrh","PYSEC-2024-219"],"risk_score":4.1,"exploitability":"0.5","weighted_severity":"8.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c3cb-pkt3-w7b9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91793?format=json","vulnerability_id":"VCID-d3td-g7zy-gfdh","summary":"Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path. This vulnerability arises due to the lack of case normalization in the file path validation logic. On case-insensitive file systems, such as those used by Windows and macOS, this flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected. This issue can lead to unauthorized data access, exposing sensitive information and undermining the integrity of Gradio's security model. Given Gradio's popularity for building web applications, particularly in machine learning and AI, this vulnerability may pose a substantial threat if exploited in production environments. This issue has been addressed in release version 5.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-23042","reference_id":"","reference_type":"","scores":[{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.3333","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33148","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-23042"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/6b63fdec441b5c9bf910f910a2505d8defbb6bf8","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/6b63fdec441b5c9bf910f910a2505d8defbb6bf8"},{"reference_url":"https://github.com/gradio-app/gradio/releases/tag/gradio%405.11.0","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/releases/tag/gradio%405.11.0"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2025-118.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2025-118.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23042","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23042"},{"reference_url":"https://github.com/advisories/GHSA-j2jg-fq62-7c3h","reference_id":"GHSA-j2jg-fq62-7c3h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j2jg-fq62-7c3h"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-j2jg-fq62-7c3h","reference_id":"GHSA-j2jg-fq62-7c3h","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-15T14:18:00Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-j2jg-fq62-7c3h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86896?format=json","purl":"pkg:pypi/gradio@5.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jqwz-jr66-yqaz"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-yztr-6wbj-jueb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.6.0"},{"url":"http://public2.vulnerablecode.io/api/packages/90861?format=json","purl":"pkg:pypi/gradio@5.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jqwz-jr66-yqaz"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-yztr-6wbj-jueb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.11.0"}],"aliases":["CVE-2025-23042","GHSA-j2jg-fq62-7c3h","PYSEC-2025-118"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d3td-g7zy-gfdh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57656?format=json","vulnerability_id":"VCID-dp31-vu8h-xbbc","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **Cross-Site Scripting (XSS)** on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript, or SVG files containing malicious scripts. When other users download or view these files, the scripts will execute in their browser, allowing attackers to perform unauthorized actions or steal sensitive information from their sessions. This impacts any Gradio server that allows file uploads, particularly those using components that process or display user-uploaded files. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can restrict the types of files that can be uploaded to the Gradio server by limiting uploads to non-executable file types such as images or text. Additionally, developers can implement server-side validation to sanitize uploaded files, ensuring that HTML, JavaScript, and SVG files are properly handled or rejected before being stored or displayed to users.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47872","reference_id":"","reference_type":"","scores":[{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.4856","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48698","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47872"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-220.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-220.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47872","reference_id":"CVE-2024-47872","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47872"},{"reference_url":"https://github.com/advisories/GHSA-gvv6-33j7-884g","reference_id":"GHSA-gvv6-33j7-884g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gvv6-33j7-884g"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-gvv6-33j7-884g","reference_id":"GHSA-gvv6-33j7-884g","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:19:51Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-gvv6-33j7-884g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33794?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jqwz-jr66-yqaz"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-rk1f-25hb-jbcv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-yztr-6wbj-jueb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47872","GHSA-gvv6-33j7-884g","PYSEC-2024-220"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dp31-vu8h-xbbc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53928?format=json","vulnerability_id":"VCID-fgmy-t86e-7qhh","summary":"An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1183","reference_id":"","reference_type":"","scores":[{"value":"0.55048","scoring_system":"epss","scoring_elements":"0.98107","published_at":"2026-06-12T12:55:00Z"},{"value":"0.55048","scoring_system":"epss","scoring_elements":"0.981","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1183"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://huntr.com/bounties/103434f9-87d2-42ea-9907-194a3c25007c","reference_id":"103434f9-87d2-42ea-9907-194a3c25007c","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T18:25:36Z/"}],"url":"https://huntr.com/bounties/103434f9-87d2-42ea-9907-194a3c25007c"},{"reference_url":"https://github.com/gradio-app/gradio/commit/2ad3d9e7ec6c8eeea59774265b44f11df7394bb4","reference_id":"2ad3d9e7ec6c8eeea59774265b44f11df7394bb4","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T18:25:36Z/"}],"url":"https://github.com/gradio-app/gradio/commit/2ad3d9e7ec6c8eeea59774265b44f11df7394bb4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1183","reference_id":"CVE-2024-1183","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1183"},{"reference_url":"https://github.com/advisories/GHSA-qh6x-j82h-vpf9","reference_id":"GHSA-qh6x-j82h-vpf9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qh6x-j82h-vpf9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30375?format=json","purl":"pkg:pypi/gradio@4.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3hxd-n4m1-hqa1"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7n76-hnnk-fke4"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-8ecf-wfxz-r7fj"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-bcf4-86rd-kfat"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-fy4u-yk22-eya1"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-m8t2-4zrz-z3fh"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-q5rx-nz6x-8ka3"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-tdaq-j7v4-x7h3"},{"vulnerability":"VCID-uy45-t1ck-tuha"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.10.0"}],"aliases":["CVE-2024-1183","GHSA-qh6x-j82h-vpf9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fgmy-t86e-7qhh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54013?format=json","vulnerability_id":"VCID-fy4u-yk22-eya1","summary":"An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1561","reference_id":"","reference_type":"","scores":[{"value":"0.93426","scoring_system":"epss","scoring_elements":"0.99827","published_at":"2026-06-12T12:55:00Z"},{"value":"0.93426","scoring_system":"epss","scoring_elements":"0.99826","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1561"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2","reference_id":"24a583688046867ca8b8b02959c441818bdb34a2","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:06:47Z/"}],"url":"https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2"},{"reference_url":"https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338","reference_id":"4acf584e-2fe8-490e-878d-2d9bf2698338","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:06:47Z/"}],"url":"https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338"},{"reference_url":"https://www.gradio.app/changelog#4-13-0","reference_id":"changelog#4-13-0","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:06:47Z/"}],"url":"https://www.gradio.app/changelog#4-13-0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1561","reference_id":"CVE-2024-1561","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1561"},{"reference_url":"https://github.com/advisories/GHSA-g9cj-cfpp-4g2x","reference_id":"GHSA-g9cj-cfpp-4g2x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g9cj-cfpp-4g2x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30386?format=json","purl":"pkg:pypi/gradio@4.13.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3hxd-n4m1-hqa1"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-8ecf-wfxz-r7fj"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-bcf4-86rd-kfat"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-m8t2-4zrz-z3fh"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-q5rx-nz6x-8ka3"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-uy45-t1ck-tuha"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.13.0"}],"aliases":["CVE-2024-1561","GHSA-g9cj-cfpp-4g2x"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fy4u-yk22-eya1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36678?format=json","vulnerability_id":"VCID-g5ce-vjkw-8uda","summary":"A vulnerability in the gradio-app/gradio repository, version git 67e4044, allows for path traversal on Windows OS. The implementation of the blocked_path functionality, which is intended to disallow users from reading certain files, is flawed. Specifically, while the application correctly blocks access to paths like 'C:/tmp/secret.txt', it fails to block access when using NTFS Alternate Data Streams (ADS) syntax, such as 'C:/tmp/secret.txt::$DATA'. This flaw can lead to unauthorized reading of blocked file paths.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-12217","reference_id":"","reference_type":"","scores":[{"value":"0.00324","scoring_system":"epss","scoring_elements":"0.5583","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00324","scoring_system":"epss","scoring_elements":"0.5595","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-12217"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/blob/67e4044c9ca8358eceeb1fa72fa415df03397d20/gradio/utils.py#L1061-L1074","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/blob/67e4044c9ca8358eceeb1fa72fa415df03397d20/gradio/utils.py#L1061-L1074"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12217","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12217"},{"reference_url":"https://huntr.com/bounties/0439bf3d-cb38-43a5-8314-0fadf85cc5a0","reference_id":"0439bf3d-cb38-43a5-8314-0fadf85cc5a0","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T15:14:55Z/"}],"url":"https://huntr.com/bounties/0439bf3d-cb38-43a5-8314-0fadf85cc5a0"},{"reference_url":"https://github.com/advisories/GHSA-prpg-p95c-32fv","reference_id":"GHSA-prpg-p95c-32fv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-prpg-p95c-32fv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86245?format=json","purl":"pkg:pypi/gradio@5.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jqwz-jr66-yqaz"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-rk1f-25hb-jbcv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-yztr-6wbj-jueb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.2"}],"aliases":["CVE-2024-12217","GHSA-prpg-p95c-32fv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g5ce-vjkw-8uda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69397?format=json","vulnerability_id":"VCID-hh8v-6v4d-2fdy","summary":"Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28415.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28415.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28415","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02153","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02149","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28415"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/dfee0da06d0aa94b3c2684131e7898d5d5c1911e","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/dfee0da06d0aa94b3c2684131e7898d5d5c1911e"},{"reference_url":"https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2026-65.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2026-65.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443449","reference_id":"2443449","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443449"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28415","reference_id":"CVE-2026-28415","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28415"},{"reference_url":"https://github.com/advisories/GHSA-pfjf-5gxr-995x","reference_id":"GHSA-pfjf-5gxr-995x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pfjf-5gxr-995x"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x","reference_id":"GHSA-pfjf-5gxr-995x","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:55:30Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40008?format=json","purl":"pkg:pypi/gradio@6.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@6.6.0"}],"aliases":["CVE-2026-28415","GHSA-pfjf-5gxr-995x","PYSEC-2026-65"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hh8v-6v4d-2fdy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57554?format=json","vulnerability_id":"VCID-jm6j-hnz2-tkct","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to **CORS origin validation**, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio server. Potentially, attackers can upload files, steal authentication tokens, and access user data if the victim visits a malicious website while logged into Gradio. This impacts users who have deployed Gradio locally and use basic authentication. Users are advised to upgrade to `gradio>4.44` to address this issue. As a workaround, users can manually enforce stricter CORS origin validation by modifying the `CustomCORSMiddleware` class in their local Gradio server code. Specifically, they can bypass the condition that skips CORS validation for requests containing cookies to prevent potential exploitation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47084","reference_id":"","reference_type":"","scores":[{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33579","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33759","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47084"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-196.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-196.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47084","reference_id":"CVE-2024-47084","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47084"},{"reference_url":"https://github.com/advisories/GHSA-3c67-5hwx-f6wx","reference_id":"GHSA-3c67-5hwx-f6wx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3c67-5hwx-f6wx"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-3c67-5hwx-f6wx","reference_id":"GHSA-3c67-5hwx-f6wx","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:23:34Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-3c67-5hwx-f6wx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33793?format=json","purl":"pkg:pypi/gradio@4.44.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-evrn-yx94-abh8"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.44.0"}],"aliases":["CVE-2024-47084","GHSA-3c67-5hwx-f6wx","PYSEC-2024-196"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jm6j-hnz2-tkct"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57862?format=json","vulnerability_id":"VCID-k43n-g9f2-5bf1","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes \"null\" as a valid origin. This allows attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin, potentially leading to data theft, such as user authentication tokens or uploaded files. This impacts users running Gradio locally, especially those using basic authentication. Users are advised to upgrade to `gradio>=5.0` to address this issue. As a workaround, users can manually modify the `localhost_aliases` list in their local Gradio deployment to exclude \"null\" as a valid origin. By removing this value, the Gradio server will no longer accept requests from sandboxed iframes or sources with a null origin, mitigating the potential for exploitation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47165","reference_id":"","reference_type":"","scores":[{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.3773","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37908","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47165"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-214.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-214.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47165","reference_id":"CVE-2024-47165","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47165"},{"reference_url":"https://github.com/advisories/GHSA-89v2-pqfv-c5r9","reference_id":"GHSA-89v2-pqfv-c5r9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-89v2-pqfv-c5r9"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-89v2-pqfv-c5r9","reference_id":"GHSA-89v2-pqfv-c5r9","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:25:38Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-89v2-pqfv-c5r9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33794?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jqwz-jr66-yqaz"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-rk1f-25hb-jbcv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-yztr-6wbj-jueb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47165","GHSA-89v2-pqfv-c5r9","PYSEC-2024-214"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k43n-g9f2-5bf1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57908?format=json","vulnerability_id":"VCID-kvhd-cy7k-guac","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature.  Any users utilizing the Gradio server's sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn't been tampered with.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47867","reference_id":"","reference_type":"","scores":[{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44877","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.45028","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47867"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-216.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-216.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47867","reference_id":"CVE-2024-47867","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47867"},{"reference_url":"https://github.com/advisories/GHSA-8c87-gvhj-xm8m","reference_id":"GHSA-8c87-gvhj-xm8m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8c87-gvhj-xm8m"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m","reference_id":"GHSA-8c87-gvhj-xm8m","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:06:22Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33794?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jqwz-jr66-yqaz"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-rk1f-25hb-jbcv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-yztr-6wbj-jueb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47867","GHSA-8c87-gvhj-xm8m","PYSEC-2024-216"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kvhd-cy7k-guac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54634?format=json","vulnerability_id":"VCID-m8t2-4zrz-z3fh","summary":"gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the `/queue/join` endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1728","reference_id":"","reference_type":"","scores":[{"value":"0.85087","scoring_system":"epss","scoring_elements":"0.99373","published_at":"2026-06-12T12:55:00Z"},{"value":"0.85087","scoring_system":"epss","scoring_elements":"0.99371","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1728"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7","reference_id":"16fbe9cd0cffa9f2a824a0165beb43446114eec7","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-15T18:41:26Z/"}],"url":"https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7"},{"reference_url":"https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a","reference_id":"9bb33b71-7995-425d-91cc-2c2a2f2a068a","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-15T18:41:26Z/"}],"url":"https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1728","reference_id":"CVE-2024-1728","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1728"},{"reference_url":"https://github.com/advisories/GHSA-m842-4qm8-7gpq","reference_id":"GHSA-m842-4qm8-7gpq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m842-4qm8-7gpq"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-m842-4qm8-7gpq","reference_id":"GHSA-m842-4qm8-7gpq","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-m842-4qm8-7gpq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29272?format=json","purl":"pkg:pypi/gradio@4.19.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.19.2"}],"aliases":["CVE-2024-1728","GHSA-m842-4qm8-7gpq"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m8t2-4zrz-z3fh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47762?format=json","vulnerability_id":"VCID-mhvj-wpvr-u3ga","summary":"An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others. This issue is due to improper validation of user-supplied input in the handling of URLs. Attackers can exploit this vulnerability by crafting a malicious URL that, when processed by the application, redirects the user to an attacker-controlled web page.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4940","reference_id":"","reference_type":"","scores":[{"value":"0.07236","scoring_system":"epss","scoring_elements":"0.9184","published_at":"2026-06-12T12:55:00Z"},{"value":"0.07236","scoring_system":"epss","scoring_elements":"0.91812","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4940"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://huntr.com/bounties/35aaea93-6895-4f03-9c1b-cd992665aa60","reference_id":"35aaea93-6895-4f03-9c1b-cd992665aa60","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-24T14:09:04Z/"}],"url":"https://huntr.com/bounties/35aaea93-6895-4f03-9c1b-cd992665aa60"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4940","reference_id":"CVE-2024-4940","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4940"},{"reference_url":"https://github.com/advisories/GHSA-g6c9-f4xm-9j4x","reference_id":"GHSA-g6c9-f4xm-9j4x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g6c9-f4xm-9j4x"}],"fixed_packages":[],"aliases":["CVE-2024-4940","GHSA-g6c9-f4xm-9j4x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mhvj-wpvr-u3ga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69167?format=json","vulnerability_id":"VCID-njwh-mk7u-yucv","summary":"Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28416.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28416.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28416","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04807","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04803","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28416"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/fc7c01ea1e581ef70be98fddf003b0c91315c7cc","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/fc7c01ea1e581ef70be98fddf003b0c91315c7cc"},{"reference_url":"https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2026-66.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2026-66.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443453","reference_id":"2443453","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443453"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28416","reference_id":"CVE-2026-28416","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28416"},{"reference_url":"https://github.com/advisories/GHSA-jmh7-g254-2cq9","reference_id":"GHSA-jmh7-g254-2cq9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jmh7-g254-2cq9"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9","reference_id":"GHSA-jmh7-g254-2cq9","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-02T21:59:31Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40008?format=json","purl":"pkg:pypi/gradio@6.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@6.6.0"}],"aliases":["CVE-2026-28416","GHSA-jmh7-g254-2cq9","PYSEC-2026-66"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-njwh-mk7u-yucv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207506?format=json","vulnerability_id":"VCID-nmby-gdg8-gbcj","summary":"Files on the host computer can be accessed from the Gradio interface","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43831","reference_id":"","reference_type":"","scores":[{"value":"0.30342","scoring_system":"epss","scoring_elements":"0.96809","published_at":"2026-06-11T12:55:00Z"},{"value":"0.30342","scoring_system":"epss","scoring_elements":"0.9682","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43831"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/41bd3645bdb616e1248b2167ca83636a2653f781","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/41bd3645bdb616e1248b2167ca83636a2653f781"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2021-873.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2021-873.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43831","reference_id":"CVE-2021-43831","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43831"},{"reference_url":"https://github.com/advisories/GHSA-rhq2-3vr9-6mcr","reference_id":"GHSA-rhq2-3vr9-6mcr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rhq2-3vr9-6mcr"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-rhq2-3vr9-6mcr","reference_id":"GHSA-rhq2-3vr9-6mcr","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-rhq2-3vr9-6mcr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18800?format=json","purl":"pkg:pypi/gradio@2.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3hxd-n4m1-hqa1"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-55hz-6uty-ykap"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7n76-hnnk-fke4"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-8ecf-wfxz-r7fj"},{"vulnerability":"VCID-8nw2-zc3r-43gy"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-ax7p-6kfu-97bb"},{"vulnerability":"VCID-bcf4-86rd-kfat"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-fgmy-t86e-7qhh"},{"vulnerability":"VCID-fy4u-yk22-eya1"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-m8t2-4zrz-z3fh"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-q5rx-nz6x-8ka3"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-tdaq-j7v4-x7h3"},{"vulnerability":"VCID-ts11-31jn-xqcz"},{"vulnerability":"VCID-uy45-t1ck-tuha"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@2.5.0"}],"aliases":["CVE-2021-43831","GHSA-rhq2-3vr9-6mcr","PYSEC-2021-873"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nmby-gdg8-gbcj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54266?format=json","vulnerability_id":"VCID-q5rx-nz6x-8ka3","summary":"A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (`app.auth[username] == password`) to validate user credentials, which can be exploited to guess passwords based on response times. Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and gain unauthorized access.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1729","reference_id":"","reference_type":"","scores":[{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24243","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24046","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-1729"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/releases/tag/gradio%404.19.2","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/releases/tag/gradio%404.19.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1729","reference_id":"CVE-2024-1729","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1729"},{"reference_url":"https://github.com/gradio-app/gradio/commit/e329f1fd38935213fe0e73962e8cbd5d3af6e87b","reference_id":"e329f1fd38935213fe0e73962e8cbd5d3af6e87b","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-29T14:49:03Z/"}],"url":"https://github.com/gradio-app/gradio/commit/e329f1fd38935213fe0e73962e8cbd5d3af6e87b"},{"reference_url":"https://huntr.com/bounties/f6a10a8d-f538-4cb7-9bb2-85d9f5708124","reference_id":"f6a10a8d-f538-4cb7-9bb2-85d9f5708124","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-29T14:49:03Z/"}],"url":"https://huntr.com/bounties/f6a10a8d-f538-4cb7-9bb2-85d9f5708124"},{"reference_url":"https://github.com/advisories/GHSA-hmx6-r76c-85g9","reference_id":"GHSA-hmx6-r76c-85g9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hmx6-r76c-85g9"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-hmx6-r76c-85g9","reference_id":"GHSA-hmx6-r76c-85g9","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-hmx6-r76c-85g9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29272?format=json","purl":"pkg:pypi/gradio@4.19.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.19.2"}],"aliases":["CVE-2024-1729","GHSA-hmx6-r76c-85g9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q5rx-nz6x-8ka3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49431?format=json","vulnerability_id":"VCID-rk9f-z9gv-83h8","summary":"Gradio before 4.20 allows credential leakage on Windows.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34510","reference_id":"","reference_type":"","scores":[{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.25969","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.26169","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34510"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-255.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-255.yaml"},{"reference_url":"https://www.gradio.app/changelog#4-20-0","reference_id":"changelog#4-20-0","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-29T14:51:27Z/"}],"url":"https://www.gradio.app/changelog#4-20-0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34510","reference_id":"CVE-2024-34510","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34510"},{"reference_url":"https://github.com/advisories/GHSA-rvfh-h6c7-fc3c","reference_id":"GHSA-rvfh-h6c7-fc3c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rvfh-h6c7-fc3c"},{"reference_url":"https://github.com/gradio-app/gradio/","reference_id":"gradio","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-29T14:51:27Z/"}],"url":"https://github.com/gradio-app/gradio/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30908?format=json","purl":"pkg:pypi/gradio@4.20.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.20.0"}],"aliases":["CVE-2024-34510","GHSA-rvfh-h6c7-fc3c","PYSEC-2024-255"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rk9f-z9gv-83h8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57794?format=json","vulnerability_id":"VCID-t3ut-uv9g-pya9","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **timing attack** in the way Gradio compares hashes for the `analytics_dashboard` function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte. This can lead to unauthorized access to the analytics dashboard, especially if the attacker can repeatedly query the system with different keys. Users are advised to upgrade to `gradio>4.44` to mitigate this issue. To mitigate the risk before applying the patch, developers can manually patch the `analytics_dashboard` dashboard to use a **constant-time comparison** function for comparing sensitive values, such as hashes. Alternatively, access to the analytics dashboard can be disabled.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47869","reference_id":"","reference_type":"","scores":[{"value":"0.00158","scoring_system":"epss","scoring_elements":"0.36516","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00158","scoring_system":"epss","scoring_elements":"0.36695","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47869"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-199.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-199.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47869","reference_id":"CVE-2024-47869","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47869"},{"reference_url":"https://github.com/advisories/GHSA-j757-pf57-f8r4","reference_id":"GHSA-j757-pf57-f8r4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j757-pf57-f8r4"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-j757-pf57-f8r4","reference_id":"GHSA-j757-pf57-f8r4","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:08:36Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-j757-pf57-f8r4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33793?format=json","purl":"pkg:pypi/gradio@4.44.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-evrn-yx94-abh8"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.44.0"}],"aliases":["CVE-2024-47869","GHSA-j757-pf57-f8r4","PYSEC-2024-199"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ut-uv9g-pya9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47761?format=json","vulnerability_id":"VCID-t6gg-aaqm-sbdx","summary":"A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4325","reference_id":"","reference_type":"","scores":[{"value":"0.65093","scoring_system":"epss","scoring_elements":"0.98502","published_at":"2026-06-11T12:55:00Z"},{"value":"0.65093","scoring_system":"epss","scoring_elements":"0.98507","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4325"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/pull/8301","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/pull/8301"},{"reference_url":"https://huntr.com/bounties/b34f084b-7d14-4f00-bc10-048a3a5aaf88","reference_id":"b34f084b-7d14-4f00-bc10-048a3a5aaf88","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-06T19:32:08Z/"}],"url":"https://huntr.com/bounties/b34f084b-7d14-4f00-bc10-048a3a5aaf88"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4325","reference_id":"CVE-2024-4325","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4325"},{"reference_url":"https://github.com/advisories/GHSA-973g-55hp-3frw","reference_id":"GHSA-973g-55hp-3frw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-973g-55hp-3frw"}],"fixed_packages":[],"aliases":["CVE-2024-4325","GHSA-973g-55hp-3frw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t6gg-aaqm-sbdx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/211763?format=json","vulnerability_id":"VCID-tdaq-j7v4-x7h3","summary":"Gradio's Component Server does not properly consider` _is_server_fn` for functions","references":[{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34511","reference_id":"CVE-2024-34511","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34511"},{"reference_url":"https://github.com/advisories/GHSA-34rf-p3r3-58x2","reference_id":"GHSA-34rf-p3r3-58x2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-34rf-p3r3-58x2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30386?format=json","purl":"pkg:pypi/gradio@4.13.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3hxd-n4m1-hqa1"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-8ecf-wfxz-r7fj"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-bcf4-86rd-kfat"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-m8t2-4zrz-z3fh"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-q5rx-nz6x-8ka3"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-uy45-t1ck-tuha"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.13.0"}],"aliases":["CVE-2024-34511","GHSA-34rf-p3r3-58x2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tdaq-j7v4-x7h3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58915?format=json","vulnerability_id":"VCID-ts11-31jn-xqcz","summary":"A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-0964","reference_id":"","reference_type":"","scores":[{"value":"0.00147","scoring_system":"epss","scoring_elements":"0.35113","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00147","scoring_system":"epss","scoring_elements":"0.34935","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-0964"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-261.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-261.yaml"},{"reference_url":"https://huntr.com/bounties/25e25501-5918-429c-8541-88832dfd3741","reference_id":"25e25501-5918-429c-8541-88832dfd3741","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"9.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-06T18:33:00Z/"}],"url":"https://huntr.com/bounties/25e25501-5918-429c-8541-88832dfd3741"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0964","reference_id":"CVE-2024-0964","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0964"},{"reference_url":"https://github.com/gradio-app/gradio/commit/d76bcaaaf0734aaf49a680f94ea9d4d22a602e70","reference_id":"d76bcaaaf0734aaf49a680f94ea9d4d22a602e70","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"9.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-06T18:33:00Z/"}],"url":"https://github.com/gradio-app/gradio/commit/d76bcaaaf0734aaf49a680f94ea9d4d22a602e70"},{"reference_url":"https://github.com/advisories/GHSA-f3h9-8phc-6gvh","reference_id":"GHSA-f3h9-8phc-6gvh","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f3h9-8phc-6gvh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28780?format=json","purl":"pkg:pypi/gradio@4.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3hxd-n4m1-hqa1"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7n76-hnnk-fke4"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-8ecf-wfxz-r7fj"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-bcf4-86rd-kfat"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-fgmy-t86e-7qhh"},{"vulnerability":"VCID-fy4u-yk22-eya1"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-m8t2-4zrz-z3fh"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-q5rx-nz6x-8ka3"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-tdaq-j7v4-x7h3"},{"vulnerability":"VCID-uy45-t1ck-tuha"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.9.0"}],"aliases":["CVE-2024-0964","GHSA-f3h9-8phc-6gvh","PYSEC-2024-261"],"risk_score":4.2,"exploitability":"0.5","weighted_severity":"8.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ts11-31jn-xqcz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62940?format=json","vulnerability_id":"VCID-uy45-t1ck-tuha","summary":"An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the `/proxy` route. Attackers can exploit this vulnerability by manipulating the `self.replica_urls` set through the `X-Direct-Url` header in requests to the `/` and `/config` routes, allowing the addition of arbitrary URLs for proxying. This flaw enables unauthorized proxying of requests and potential access to internal endpoints within the Hugging Face space. The issue arises from the application's inadequate checking of safe URLs in the `build_proxy_request` function.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-2206","reference_id":"","reference_type":"","scores":[{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.32338","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.32156","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-2206"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://huntr.com/bounties/2286c1ed-b889-45d6-adda-7014ea06d98e","reference_id":"2286c1ed-b889-45d6-adda-7014ea06d98e","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-20T18:26:27Z/"}],"url":"https://huntr.com/bounties/2286c1ed-b889-45d6-adda-7014ea06d98e"},{"reference_url":"https://github.com/gradio-app/gradio/commit/49d9c48537aa706bf72628e3640389470138bdc6","reference_id":"49d9c48537aa706bf72628e3640389470138bdc6","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-20T18:26:27Z/"}],"url":"https://github.com/gradio-app/gradio/commit/49d9c48537aa706bf72628e3640389470138bdc6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2206","reference_id":"CVE-2024-2206","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2206"},{"reference_url":"https://github.com/advisories/GHSA-r364-m2j9-mf4h","reference_id":"GHSA-r364-m2j9-mf4h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r364-m2j9-mf4h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30072?format=json","purl":"pkg:pypi/gradio@4.18.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sa-8f5a-87f1"},{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-3vnm-khj6-9ybe"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-7bun-hzzg-qfcm"},{"vulnerability":"VCID-7x2s-krau-t7ar"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-bcf4-86rd-kfat"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jm6j-hnz2-tkct"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-m8t2-4zrz-z3fh"},{"vulnerability":"VCID-mhvj-wpvr-u3ga"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-q5rx-nz6x-8ka3"},{"vulnerability":"VCID-rk9f-z9gv-83h8"},{"vulnerability":"VCID-t3ut-uv9g-pya9"},{"vulnerability":"VCID-t6gg-aaqm-sbdx"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"},{"vulnerability":"VCID-zsef-t5b1-vqd2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.18.0"}],"aliases":["CVE-2024-2206","GHSA-r364-m2j9-mf4h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uy45-t1ck-tuha"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34699?format=json","vulnerability_id":"VCID-v32z-9xvk-9bcu","summary":"A vulnerability in the file upload process of gradio-app/gradio version @gradio/video@0.10.2 allows for a Denial of Service (DoS) attack. An attacker can append a large number of characters to the end of a multipart boundary, causing the system to continuously process each character and issue warnings. This can render Gradio inaccessible for extended periods, disrupting services and causing significant downtime.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-8966","reference_id":"","reference_type":"","scores":[{"value":"0.0029","scoring_system":"epss","scoring_elements":"0.52903","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0029","scoring_system":"epss","scoring_elements":"0.52774","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-8966"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/commit/f1718c47137f9c60240da7afe5e3290aa0f1cb47","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/commit/f1718c47137f9c60240da7afe5e3290aa0f1cb47"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8966","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8966"},{"reference_url":"https://huntr.com/bounties/7b5932bb-58d1-4e71-b85c-43dc40522ff2","reference_id":"7b5932bb-58d1-4e71-b85c-43dc40522ff2","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T15:50:36Z/"}],"url":"https://huntr.com/bounties/7b5932bb-58d1-4e71-b85c-43dc40522ff2"},{"reference_url":"https://github.com/advisories/GHSA-5cpq-9538-jm2j","reference_id":"GHSA-5cpq-9538-jm2j","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5cpq-9538-jm2j"}],"fixed_packages":[],"aliases":["CVE-2024-8966","GHSA-5cpq-9538-jm2j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v32z-9xvk-9bcu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57565?format=json","vulnerability_id":"VCID-xnf5-dn9m-dqay","summary":"Gradio is an open-source Python package designed for quick prototyping. This is a **data validation vulnerability** affecting several Gradio components, which allows arbitrary file leaks through the post-processing step. Attackers can exploit these components by crafting requests that bypass expected input constraints. This issue could lead to sensitive files being exposed to unauthorized users, especially when combined with other vulnerabilities, such as issue TOB-GRADIO-15. The components most at risk are those that return or handle file data. Vulnerable Components: 1. **String to FileData:** DownloadButton, Audio, ImageEditor, Video, Model3D, File, UploadButton. 2. **Complex data to FileData:** Chatbot, MultimodalTextbox. 3. **Direct file read in preprocess:** Code. 4. **Dictionary converted to FileData:** ParamViewer, Dataset. Exploit Scenarios: 1. A developer creates a Dropdown list that passes values to a DownloadButton. An attacker bypasses the allowed inputs, sends an arbitrary file path (like `/etc/passwd`), and downloads sensitive files. 2. An attacker crafts a malicious payload in a ParamViewer component, leaking sensitive files from a server through the arbitrary file leak. This issue has been resolved in `gradio>5.0`. Upgrading to the latest version will mitigate this vulnerability. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47868","reference_id":"","reference_type":"","scores":[{"value":"0.00201","scoring_system":"epss","scoring_elements":"0.42332","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00201","scoring_system":"epss","scoring_elements":"0.42167","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47868"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-217.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-217.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47868","reference_id":"CVE-2024-47868","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47868"},{"reference_url":"https://github.com/advisories/GHSA-4q3c-cj7g-jcwf","reference_id":"GHSA-4q3c-cj7g-jcwf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4q3c-cj7g-jcwf"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-4q3c-cj7g-jcwf","reference_id":"GHSA-4q3c-cj7g-jcwf","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:07:53Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-4q3c-cj7g-jcwf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33794?format=json","purl":"pkg:pypi/gradio@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-jqwz-jr66-yqaz"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-rk1f-25hb-jbcv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-yztr-6wbj-jueb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0"}],"aliases":["CVE-2024-47868","GHSA-4q3c-cj7g-jcwf","PYSEC-2024-217"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xnf5-dn9m-dqay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/118072?format=json","vulnerability_id":"VCID-yztr-6wbj-jueb","summary":"Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space. This issue has been patched in version 5.31.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-48889","reference_id":"","reference_type":"","scores":[{"value":"0.01469","scoring_system":"epss","scoring_elements":"0.81395","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01469","scoring_system":"epss","scoring_elements":"0.81334","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-48889"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2025-119.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2025-119.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48889","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48889"},{"reference_url":"https://github.com/advisories/GHSA-8jw3-6x8j-v96g","reference_id":"GHSA-8jw3-6x8j-v96g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8jw3-6x8j-v96g"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-8jw3-6x8j-v96g","reference_id":"GHSA-8jw3-6x8j-v96g","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-30T12:25:32Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-8jw3-6x8j-v96g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/87723?format=json","purl":"pkg:pypi/gradio@5.31.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.31.0"}],"aliases":["CVE-2025-48889","GHSA-8jw3-6x8j-v96g","PYSEC-2025-119"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yztr-6wbj-jueb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58185?format=json","vulnerability_id":"VCID-zsef-t5b1-vqd2","summary":"Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves data exposure due to the enable_monitoring flag not properly disabling monitoring when set to False. Even when monitoring is supposedly disabled, an attacker or unauthorized user can still access the monitoring dashboard by directly requesting the /monitoring endpoint. This means that sensitive application analytics may still be exposed, particularly in environments where monitoring is expected to be disabled. Users who set enable_monitoring=False to prevent unauthorized access to monitoring data are impacted. Users are advised to upgrade to gradio>=4.44 to address this issue. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47168","reference_id":"","reference_type":"","scores":[{"value":"0.00158","scoring_system":"epss","scoring_elements":"0.36516","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00158","scoring_system":"epss","scoring_elements":"0.36695","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47168"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-198.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-198.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47168","reference_id":"CVE-2024-47168","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47168"},{"reference_url":"https://github.com/advisories/GHSA-hm3c-93pg-4cxw","reference_id":"GHSA-hm3c-93pg-4cxw","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hm3c-93pg-4cxw"},{"reference_url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-hm3c-93pg-4cxw","reference_id":"GHSA-hm3c-93pg-4cxw","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T15:28:11Z/"}],"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-hm3c-93pg-4cxw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33793?format=json","purl":"pkg:pypi/gradio@4.44.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2kc2-mh1j-hbcc"},{"vulnerability":"VCID-4z8e-1e5c-gbh1"},{"vulnerability":"VCID-56ts-6khe-yub6"},{"vulnerability":"VCID-6qjh-ukrg-bbhn"},{"vulnerability":"VCID-aey9-dexr-aqa8"},{"vulnerability":"VCID-c3cb-pkt3-w7b9"},{"vulnerability":"VCID-d3td-g7zy-gfdh"},{"vulnerability":"VCID-dp31-vu8h-xbbc"},{"vulnerability":"VCID-evrn-yx94-abh8"},{"vulnerability":"VCID-g5ce-vjkw-8uda"},{"vulnerability":"VCID-hh8v-6v4d-2fdy"},{"vulnerability":"VCID-k43n-g9f2-5bf1"},{"vulnerability":"VCID-kj44-e4fu-rfd9"},{"vulnerability":"VCID-kvhd-cy7k-guac"},{"vulnerability":"VCID-njwh-mk7u-yucv"},{"vulnerability":"VCID-v32z-9xvk-9bcu"},{"vulnerability":"VCID-vvn9-wgp2-q7ag"},{"vulnerability":"VCID-xnf5-dn9m-dqay"},{"vulnerability":"VCID-yztr-6wbj-jueb"},{"vulnerability":"VCID-z3jc-ajud-zbej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@4.44.0"}],"aliases":["CVE-2024-47168","GHSA-hm3c-93pg-4cxw","PYSEC-2024-198"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zsef-t5b1-vqd2"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@0.9.2"}