cbcvebase.

Gradio Project Gradio vulnerabilities

52 known vulnerabilities affecting gradio_project/gradio.

Total CVEs
52
CISA KEV
0
Public exploits
9
Exploited in wild
3
Severity breakdown
CRITICAL6HIGH24MEDIUM19LOW3

Vulnerabilities

Page 3 of 3
CVE-2024-47166P4MEDIUMCVSS 5.3fixed in 4.44.02024-10-10
CVE-2024-47166 [MEDIUM] CWE-22 CVE-2024-47166: Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **one-level read path traversal** in the `/custom_component` endpoint. Attackers can exploit this flaw to access and leak source code from custom Gradio components by manipulating the file path in the request. Although the traversal is limited to a si
ghsanvdosv
CVE-2024-47165P4MEDIUMCVSS 5.4fixed in 5.0.02024-10-10
CVE-2024-47165 [MEDIUM] CWE-285 CVE-2024-47165: Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates t Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes "null" as a valid origin. This allows attackers to make unauthorized requests from sandboxed iframes or other sou
ghsanvdosv
CVE-2024-47872P4MEDIUMCVSS 5.4fixed in 5.0.02024-10-10
CVE-2024-47872 [MEDIUM] CWE-79 CVE-2024-47872: Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **Cross-Site Scripting (XSS)** on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript, or SVG files containing malicious scripts. When other users download or view these files, the scripts will execu
ghsanvdosv
CVE-2024-12217P4MEDIUM≥ 0, ≤ 5.0.12025-03-20
CVE-2024-12217 [MEDIUM] CWE-22 Gradio Path Traversal vulnerability Gradio Path Traversal vulnerability A vulnerability in the gradio-app/gradio repository, version git 67e4044, allows for path traversal on Windows OS. The implementation of the blocked_path functionality, which is intended to disallow users from reading certain files, is flawed. Specifically, while the application correctly blocks access to paths like 'C:/tmp/secret.txt', it fails to block access when using NTFS Alternate Data S
ghsaosv
CVE-2023-41626P4MEDIUMCVSS 4.8v3.27.02023-09-15
CVE-2023-41626 [MEDIUM] CWE-434 CVE-2023-41626: Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload inte Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload interface.
ghsanvdosv
CVE-2026-28415P4MEDIUMCVSS 4.7fixed in 6.6.02026-02-27
CVE-2026-28415 [MEDIUM] CWE-200 CVE-2026-28415: Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. ap
ghsanvdosv
CVE-2024-47168P4MEDIUMCVSS 4.3fixed in 4.44.02024-10-10
CVE-2024-47168 [MEDIUM] CWE-670 CVE-2024-47168: Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves data exposure due to the enable_monitoring flag not properly disabling monitoring when set to False. Even when monitoring is supposedly disabled, an attacker or unauthorized user can still access the monitoring dashboard by directly requesting the /mon
ghsanvdosv
CVE-2024-1727P4MEDIUMCVSS 4.3≥ 4.16.0, < 4.19.22024-03-21
CVE-2024-1727 [MEDIUM] CWE-352 CVE-2024-1727: A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload mu A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can deplete the system's disk space, potentially leading to a den
ghsanvdosv
CVE-2024-47869P4LOWCVSS 3.7fixed in 4.44.02024-10-10
CVE-2024-47869 [LOW] CWE-203 CVE-2024-47869: Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **timing attack** in the way Gradio compares hashes for the `analytics_dashboard` function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response time of different requests to infer the correct hash
ghsanvdosv
CVE-2025-5320P4LOW≥ 5.0.0, ≤ 5.29.12025-05-29
CVE-2025-5320 [LOW] CWE-345 Gradio CORS Origin Validation Bypass Vulnerability Gradio CORS Origin Validation Bypass Vulnerability A vulnerability classified as problematic has been found in gradio-app gradio up to 5.29.1. This affects the function is_valid_origin of the component CORS Handler. The manipulation of the argument localhost_aliases leads to origin validation error. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told
ghsaosv
CVE-2026-10783P4LOWCVSS 2.5v6.14.02026-06-04
CVE-2026-10783 [LOW] CWE-327 CVE-2026-10783: A security flaw has been discovered in gradio-app gradio 6.14.0. This affects the function save_audi A security flaw has been discovered in gradio-app gradio 6.14.0. This affects the function save_audio_to_cache of the component Audio Cache Key Handler. Performing a manipulation results in use of weak hash. The attack must be initiated from a local position. The attack is considered to have high complexity. It is indicated that the exploitability is d
nvd
CVE-2024-34511MEDIUM≥ 0, < 4.13.02024-05-05
CVE-2024-34511 [MEDIUM] Gradio's Component Server does not properly consider` _is_server_fn` for functions Gradio's Component Server does not properly consider` _is_server_fn` for functions Component Server in Gradio before 4.13 does not properly consider` _is_server_fn` for functions.
ghsaosv
Gradio Project Gradio vulnerabilities | cvebase