HIGH🇬🇧 English

CVE-2026-48545

CVSS 7.6v4.0pub. 2026-05-27upd. 2026-06-02

Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Gradio Project Gradio

    APP
    Gradio Project
    < 6.15.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2024-39236CRITICAL9.8PL ✓ten sam produkt

Code injection w Gradio v4.36.1 via component_meta.py

CVE-2024-4253CRITICAL9.1PL ✓ten sam produkt

Command Injection w workflow CI/CD repozytorium Gradio (GitHub Actions)

CVE-2024-0964CRITICAL9.4PL ✓ten sam produkt

Path Traversal (LFI) w Gradio poprzez złośliwą wartość JSON w API

CVE-2026-49119HIGH8.7ten sam produkt

Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess() metho...

CVE-2026-28414HIGH7.5ten sam produkt

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps runn...