Gradio - Absolute Path Traversal

Gradio 6.7 on Windows with Python 3.13+ contains an absolute path traversal caused by incorrect path validation in path joining logic, letting unauthenticated attackers read arbitrary files from the server. id: CVE-2026-28414 info: name: Gradio - Absolute Path Traversal author: 0xAkoko severity:...

VulnCheck KEV: CVE-2026-28414

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ change...

3d-rcnet (>=0.2.2 <=0.2.3), aa-prepflow (>=0.1.0 <=0.1.1) +1117 more potentially affected by CVE-2026-28414 via gradio (>=1.7.7 <=6.4.0)

gradio PYPI version =1.7.7, =0.2.2, =0.1.0, =0.2.5, =0.3.0, =0.0.3, =0.1.5, =0.8.2.4, =0.2.1, =0.1.0, =0.1.0, =0.1.0, =2.0.0, =3.3.9 and more Source cves: CVE-2026-28414 Source advisory: OSV:GHSA-39MP-8HJ3-5C49...

3d-rcnet (>=0.2.2 <=0.2.3), aa-prepflow (>=0.1.0 <=0.1.1) +692 more potentially affected by CVE-2026-28414 via gradio (>=6.0.0 <=6.4.0)

gradio PYPI version =6.0.0, =0.2.2, =0.1.0, =0.2.5, =0.0.3, =0.1.5, =0.1.0, =0.1.0, =0.1.0, =3.3.0, =0.1.4, =0.1.3, =0.1.0, =0.2.0 and more Source cves: CVE-2026-28414 Source advisory: SNYK:PYTHON-GRADIO-15366417...

CVE-2026-28414

creationtimestamp| type| source ---|---|--- 2026-02-27 20:22:53+00:00| published-proof-of-concept| https://github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49 2026-02-28 00:28:18+00:00| published-proof-of-concept| https://t.me/realcodeb0ss/348 2026-02-28 05:01:30+00:00| seen|...