879 matches found
Gradio Hugging Face - Local File Inclusion
Gradio LFI when auth is not enabled, affects versions 4.0 - 4.10, also works against Gradio 3.33 id: CVE-2023-51449 info: name: Gradio Hugging Face - Local File Inclusion author: nvn1729 severity: high description: | Gradio LFI when auth is not enabled, affects versions 4.0 - 4.10, also works...
Gradio - Open Redirect
Gradio allows an open redirect bypass via URL encoding, enabling attackers to redirect users to malicious sites. This can lead to phishing attacks and loss of trust in the application. id: CVE-2024-8021 info: name: Gradio - Open Redirect author: DhiyaneshDK severity: medium description: | Gradio...
Gradio - Server Side Request Forgery
An SSRF Server-Side Request Forgery vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the...
Gradio - Open Redirect
An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting XSS, Server-Side Request Forgery SSRF, amongst others. This...
Gradio 4.3-4.12 - Local File Read
Local file read by calling arbitrary methods of Components class between Gradio versions 4.3-4.12 id: CVE-2024-1561 info: name: Gradio 4.3-4.12 - Local File Read author: nvn1729,Diablo severity: high description: | Local file read by calling arbitrary methods of Components class between Gradio...
Gradio - Server-Side Request Forgery
A Server-Side Request Forgery SSRF vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the /queue/join endpoint and the saveurltocache function. The vulnerability arises when the path value, obtained from the user and expected to be a URL, is used to make an HTTP...
Gradio - Absolute Path Traversal
Gradio 6.7 on Windows with Python 3.13+ contains an absolute path traversal caused by incorrect path validation in path joining logic, letting unauthenticated attackers read arbitrary files from the server. id: CVE-2026-28414 info: name: Gradio - Absolute Path Traversal author: 0xAkoko severity:...
Gradio < 2.5.0 - Arbitrary File Read
Files on the host computer can be accessed from the Gradio interface id: CVE-2021-43831 info: name: Gradio 2.5.0 - Arbitrary File Read author: isacaya severity: high description: | Files on the host computer can be accessed from the Gradio interface impact: | An attacker would be able to view the...
CVE-2026-59806
Gradio before 6.20.0 contains an open redirect and server-side request forgery vulnerability that allows attackers to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to the filefetch function in the /gradioapi/file= endpoint. Attackers can cra...
CVE-2026-59806 Gradio < 6.20.0 - Open Redirect and SSRF via /gradio_api/file= endpoint
Gradio before 6.20.0 contains an open redirect and server-side request forgery vulnerability that allows attackers to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to the filefetch function in the /gradioapi/file= endpoint. Attackers can cra...
EUVD-2026-42376
Gradio before 6.20.0 contains an open redirect and server-side request forgery vulnerability that allows attackers to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to the filefetch function in the /gradioapi/file= endpoint. Attackers can cra...
CVE-2026-59806
Gradio before 6.20.0 is affected by an open redirect and server-side request forgery via the /gradio_api/file= endpoint, allowing an attacker to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to file_fetch(). Attackers could craft a malicious...
PT-2026-56568
Name of the Vulnerable Software and Affected Versions Gradio versions prior to 6.20.0 Description An open redirect and server-side request forgery SSRF issue exists where attackers can redirect users to arbitrary URLs or perform client-side SSRF. This occurs when unvalidated HTTP/HTTPS URLs are...
Gradio > 4.19.1 UploadButton - Path Traversal
gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. id: CVE-2024-1728 info: name: Gradio 4.19.1 UploadButton - Path Traversal author: isacaya severity: high description: | gradio-app/gradio is...
CVE-2026-49119
Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess method that allows unauthenticated attackers to escape the configured root directory by supplying path segments containing directory traversal sequences or absolute paths. Attackers can provide...
CVE-2026-49119
Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess method that allows unauthenticated attackers to escape the configured root directory by supplying path segments containing directory traversal sequences or absolute paths. Attackers can provide...
CVE-2026-49119
Gradio
CVE-2026-49119 Gradio < 6.16.0 Path Traversal via FileExplorer.preprocess()
Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess method that allows unauthenticated attackers to escape the configured root directory by supplying path segments containing directory traversal sequences or absolute paths. Attackers can provide...
CVE-2026-49119 Gradio < 6.16.0 Path Traversal via FileExplorer.preprocess()
Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess method that allows unauthenticated attackers to escape the configured root directory by supplying path segments containing directory traversal sequences or absolute paths. Attackers can provide...
PT-2026-54771
Name of the Vulnerable Software and Affected Versions Gradio versions prior to 6.16.0 Description A path traversal issue exists in the preprocess function of the FileExplorer component. Unauthenticated attackers can escape the configured root directory by providing path segments that include...