pkg:PyPI/gradio

77 total CVEsCRITICAL4HIGH39MEDIUM27LOW3

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2024-39236Withdrawn Advisory: Gradio was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py
    from 0, <= 4.36.1
  • CRITICAL9.8CVE-2024-39236Withdrawn Advisory: Gradio was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py
  • CRITICAL9.6CVE-2023-6572Gradio Exposure of Sensitive Information to an Unauthorized Actor vulnerability
    from 0, < 5b5af1899dd98d63e1f9b48a93601c2db1f56520 | from 0, < 4.14.0
  • CRITICAL9.6CVE-2023-6572Gradio Exposure of Sensitive Information to an Unauthorized Actor vulnerability
    from 0, < 4.14.0
  • HIGH8.8CVE-2024-47084Gradios's CORS origin validation is not performed when the request has a cookie
    from 0, < 4.44.0
  • HIGH8.8CVE-2024-47084Gradios's CORS origin validation is not performed when the request has a cookie
    from 0, < 4.44.0
  • HIGH8.8CVE-2022-24770Improper Neutralization of Formula Elements in a CSV File in Gradio Flagging
    from 0, < 80fea89117358ee105973453fdc402398ae20239 | from 0, < 2.8.11
  • HIGH8.8CVE-2022-24770Improper Neutralization of Formula Elements in a CSV File in Gradio Flagging
    from 0, < 2.8.11
  • HIGH8.6CVE-2024-4325Server-Side Request Forgery in gradio
    from 0, <= 4.36.0
  • HIGH8.6CVE-2023-51449Gradio makes the `/file` secure against file traversal and server-side request forgery attacks
    from 0, < 4.11.0
  • HIGH8.6CVE-2023-51449Gradio makes the `/file` secure against file traversal and server-side request forgery attacks
    from 0, < 1b9d4234d6c25ef250d882c7b90e1f4039ed2d76, < 7ba8c5da45b004edd12c0460be9222f5b5f5f055 | from 0, < 4.11.0
  • HIGH8.3CVE-2021-43831Files on the host computer can be accessed from the Gradio interface
    from 0, < 2.5.0
  • HIGH8.3CVE-2021-43831Files on the host computer can be accessed from the Gradio interface
    from 0, < 41bd3645bdb616e1248b2167ca83636a2653f781 | from 0, < 2.5.0
  • HIGH8.2CVE-2026-28416Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
    from 0, < 6.6.0
  • HIGH8.2CVE-2026-28416Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
    from 0, < 6.6.0
  • HIGH8.2CVE-2024-10648Gradio Vulnerable to Arbitrary File Deletion
    >= 4.0.0, <= 5.0.0b2
  • HIGH8.1CVE-2024-47871Gradio uses insecure communication between the FRP client and server
    from 0, < 5.0.0
  • HIGH8.1CVE-2024-47871Gradio uses insecure communication between the FRP client and server
    from 0, < 5.0.0
  • HIGH7.5CVE-2026-28414Gradio is Vulnerable to Absolute Path Traversal on Windows with Python 3.13+
    from 0, < 6.7.0
  • HIGH7.5CVE-2026-28414Gradio is Vulnerable to Absolute Path Traversal on Windows with Python 3.13+
    from 0, < 6.7.0
  • HIGH7.5CVE-2024-8966Gradio DOS in multipart boundry while uploading the file
    from 0, <= 5.22.0
  • HIGH7.5CVE-2024-10624Gradio Vulnerable to Denial of Service (DoS) via Crafted HTTP Request
    >= 4.38.0, <= 5.0.0-beta.2
  • HIGH7.5CVE-2024-10569Gradio Vulnerable to Denial of Service (DoS) via Crafted Zip Bomb
    >= 4.0.0, <= 5.0.0b2
  • HIGH7.5CVE-2025-23042Gradio Blocked Path ACL Bypass Vulnerability
    from 0, < 5.6.0
  • HIGH7.5CVE-2025-23042Gradio Blocked Path ACL Bypass Vulnerability
    from 0, < 5.11.0
  • HIGH7.5CVE-2024-47867Gradio lacks integrity checking on the downloaded FRP client
    from 0, < 5.0.0
  • HIGH7.5CVE-2024-47867Gradio lacks integrity checking on the downloaded FRP client
    from 0, < 5.0.0
  • HIGH7.5CVE-2024-4941Local file inclusion in gradio
    from 0, < ee1e2942e0a1ae84a08a05464e41c8108a03fa9c, < ee1e2942e0a1ae84a08a05464e41c8108a03fa9c | from 0, < 4.31.4
  • HIGH7.5CVE-2024-4941Local file inclusion in gradio
    from 0, < 4.31.3
  • HIGH7.5CVE-2024-34510Gradio allows credential leakage on Windows
    from 0, < 4.20.0
  • HIGH7.5CVE-2024-34510Gradio allows credential leakage on Windows
    from 0, < 4.20.0
  • HIGH7.5CVE-2024-1561gradio vulnerable to Path Traversal
    from 0, < 4.13.0
  • HIGH7.5CVE-2024-1728Gradio allows users to access arbitrary files
    from 0, < 4.19.2
  • HIGH7.5CVE-2024-1728Gradio allows users to access arbitrary files
    from 0, < 4.19.2
  • HIGH7.5CVE-2024-0964Gradio Path Traversal vulnerability
  • HIGH7.5CVE-2024-0964Gradio Path Traversal vulnerability
    from 0, < 4.9.0
  • HIGH7.3CVE-2024-2206gradio Server-Side Request Forgery vulnerability
    from 0, < 4.18.0
  • HIGH7.3CVE-2023-34239Gradio vulnerable to arbitrary file read and proxying of arbitrary URLs
    from 0, < 3.34.0
  • HIGH7.3CVE-2023-34239Gradio vulnerable to arbitrary file read and proxying of arbitrary URLs
    from 0, < 3.34.0
  • HIGH7.2CVE-2024-47167Gradio vulnerable to SSRF in the path parameter of /queue/join
    from 0, < 5.0.0
  • HIGH7.2CVE-2024-47167Gradio vulnerable to SSRF in the path parameter of /queue/join
    from 0, < 5.0.0
  • HIGH7.0CVE-2024-47870Gradio has a race condition in update_root_in_config may redirect user traffic
    from 0, < 5.0.0
  • HIGH7.0CVE-2024-47870Gradio has a race condition in update_root_in_config may redirect user traffic
    from 0, < 5.0.0
  • MEDIUM6.5CVE-2024-48052gradio Server Side Request Forgery vulnerability
    from 0, <= 4.42.0
  • MEDIUM6.5CVE-2024-47164Gradio's `is_in_or_equal` function may be bypassed
    from 0, < 5.0.0
  • MEDIUM6.5CVE-2024-47164Gradio's `is_in_or_equal` function may be bypassed
    from 0, < 5.0.0
  • MEDIUM6.5CVE-2024-34511Gradio's Component Server does not properly consider` _is_server_fn` for functions
    from 0, < 4.13.0
  • MEDIUM6.5CVE-2024-1183gradio Server-Side Request Forgery vulnerability
    from 0, < 4.10.0
  • MEDIUM5.9CVE-2024-1729Gradio apps vulnerable to timing attacks to guess password
    from 0, < 4.19.2
  • MEDIUM5.4CVE-2024-8021Gradio Vulnerable to Open Redirect
    from 0, <= 4.37.2
  • MEDIUM5.4CVE-2024-47872Gradio has an XSS on every Gradio server via upload of HTML files, JS files, or SVG files
    from 0, < 5.0.0
  • MEDIUM5.4CVE-2024-47872Gradio has an XSS on every Gradio server via upload of HTML files, JS files, or SVG files
    from 0, < 5.0.0
  • MEDIUM5.4CVE-2024-47165Gradio's CORS origin validation accepts the null origin
    from 0, < 5.0.0
  • MEDIUM5.4CVE-2024-47165Gradio's CORS origin validation accepts the null origin
    from 0, < 5.0.0
  • MEDIUM5.4CVE-2024-4940Open redirect in gradio
    from 0, <= 4.36.1
  • MEDIUM5.4CVE-2023-25823Update share links to use FRP instead of SSH tunneling
    from 0, < 3.13.1
  • MEDIUM5.4CVE-2023-25823Update share links to use FRP instead of SSH tunneling
    from 0, < 3.13.1
  • MEDIUM5.3CVE-2025-48889Gradio Allows Unauthorized File Copy via Path Manipulation
    from 0, < 5.31.0
  • MEDIUM5.3CVE-2025-48889Gradio Allows Unauthorized File Copy via Path Manipulation
    >= 5.25.2, < 5.31.0
  • MEDIUM5.3CVE-2024-12217Gradio Path Traversal vulnerability
    from 0, <= 5.0.1
  • MEDIUM5.3CVE-2024-47868Gradio has several components with post-process steps allow arbitrary file leaks
    from 0, < 5.0.0
  • MEDIUM5.3CVE-2024-47868Gradio has several components with post-process steps allow arbitrary file leaks
    from 0, < 5.0.0
  • MEDIUM5.3CVE-2024-47166Gradio has a one-level read path traversal in `/custom_component`
    from 0, < 4.44.0
  • MEDIUM5.3CVE-2024-47166Gradio has a one-level read path traversal in `/custom_component`
    from 0, < 4.44.0
  • MEDIUM4.8CVE-2023-41626Gradio arbitrary file upload vulnerability
    from 0, <= 3.27.0
  • MEDIUM4.3CVE-2026-28415Gradio has an Open Redirect in its OAuth Flow
    from 0, < 6.6.0
  • MEDIUM4.3CVE-2026-28415Gradio has an Open Redirect in its OAuth Flow
    from 0, < 6.6.0
  • MEDIUM4.3CVE-2024-47168In Gradio, the `enable_monitoring` flag set to `False` does not disable monitoring
    from 0, < 4.44.0
  • MEDIUM4.3CVE-2024-47168In Gradio, the `enable_monitoring` flag set to `False` does not disable monitoring
    from 0, < 4.44.0
  • MEDIUM4.3CVE-2024-1727Gradio applications running locally vulnerable to 3rd party websites accessing routes and uploading files
    from 0, < 4.19.2
  • LOW3.7CVE-2025-5320Gradio CORS Origin Validation Bypass Vulnerability
    >= 5.0.0, <= 5.29.1
  • LOW3.7CVE-2024-47869Gradio performs a non-constant-time comparison when comparing hashes
    from 0, < 4.44.0
  • LOW3.7CVE-2024-47869Gradio performs a non-constant-time comparison when comparing hashes
    from 0, < 4.44.0
  • NONE0.0CVE-2026-27167Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret
    >= 4.16.0, < 6.6.0
  • NONE0.0CVE-2026-27167Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret
    >= 4.16.0, < 6.6.0
  • NONE0.0CVE-2024-51751Gradio vulnerable to arbitrary file read with File and UploadButton components
    >= 5.0.0, < 5.5.0
  • NONE0.0CVE-2024-51751Gradio vulnerable to arbitrary file read with File and UploadButton components
    >= 5.0.0, < 5.5.0