repository icon
gradio-app / gradio Project repository

Build and share delightful machine learning apps, all in Python. 🌟 Star to support our work!

Submit a report

FIRST INTERACTION

WITHINN/A DAYS

REVIEW

WITHIN44 DAYS

FIX

WITHIN76 DAYS

Arbitrary File Copy & DoS via Flagging Mechanism
pventuzelo
pending
DOS via CSV logging
pventuzelo
pending
CSV injection via CSV logging functionality of Gradio
pventuzelo
pending
Gradio Blocked Path ACL Bypass Vulnerability
superboy-zjc
pending
Gradio CORS Origin Validation Bypass Vulnerability
superboy-zjc
pending
blocked_path implementation flawded on windows OS, lead to blocked file read.
oicu0619
Medium
$125CVE-2024-12217
Denial of service while processing file uploading
oicu0619
duplicate
High
DoS by Sending Large Filename at File Upload Endpoint in
mnqazi
High
$750CVE-2025-0187
safe_join is flawed in windows OS, lead to path traversal
oicu0619
informative
High
zip bomb on dataframe component, lead to server crash
oicu0619
High
$750CVE-2024-10569
arbitrary file content deletion with component audio
oicu0619
High
$750CVE-2024-10648
Local file inclusion in dropdown and other components
oicu0619
informative
High
Redos (Regular Expression Denial of Service)
oicu0619
High
$750CVE-2024-10624
Insufficient File Type Verification Upload Function
morphykutay
informative
Medium
FULL SSRF in gr.DownloadButton
aftersnows
duplicate
High
check_public_url bypass via DNS rebinding
thealtofwar
not applicable
DOS in multipart boundry while uploading the file
mnqazi
High
$750CVE-2024-8966
stored xss caused by the file parameter opening a file in different file paths i...
quxaa
duplicate
Medium
Insecure Temporary File
web-hacker-team
not applicable
SSRF with Images components
nduy2110
duplicate
High
Open redirect by url encoding
govindpalakkal
Medium
$125CVE-2024-8021
RCE in Multiple Github Actions
redyetidev
informative
Critical
Vulnerable pdfjs-dist imported in Gradio Guides results JavaScript Injection
retr0reg
duplicate
High
Unsafe eval usage can lead to remote code execution
mookamooka
informative
Medium
Insecure pdf output handling leads to XSS vulnerability
7resp4ss
not applicable
XSS Stored in ChatInterface.
m3dium
not applicable
Stored XSS via upload image feature
hetroublemaker
duplicate
High
Improper Input Validation Leads to Code Injection Vulnerability
synfinack
spam
Unsafe Jinja2 Template Creation Increases Risk of Cross-Site Scripting (XSS) Vul...
synfinack
spam
Open Redirect: Unsanitized input from the request URL flows into fastapi.respons...
synfinack
not applicable
Path Traversal: Unsanitized input from an environment variable flows into open
synfinack
not applicable
Disabling SSL Verification in HTTP Requests: Potential Security Risk
synfinack
spam
Open redirect
d47secc
Medium
$125CVE-2024-4940
SSRF to access internal network
d47secc
self closed
SSRF allow gradio app to proxy arbitrary URLs
qhaoduoyu
duplicate
High
[gradio-app/gradio] Secrets exfiltration via the [deploy-website.yml] workflow
nikitastupin
informative
High
CVE-2024-4254
Secrets exfiltration via the [test-functional.yml] workflow
h2oa
informative
High
CVE-2024-4253
Stored XSS via file upload
nhienit2010
not applicable
SSRF access internal network
nhienit2010
duplicate
Critical
LFI in JSON component
ozelis
High
$750CVE-2024-4941
Secrets exfiltration via Github action workflow
codevigilanteofficial
informative
High
Improper sanitization for chatbot messages and responses
acciobugs
not applicable
Stored XSS due to upload SVG file
h2oa
duplicate
High
Lack of protection against brute force
h2oa
duplicate
Medium
GET-Based Open Redirect
h2oa
duplicate
Medium
Server-Side Request Forgery SSRF
mvlttt
High
$750CVE-2024-4325
No CSRF Protection on Oauth Login Callback
rook1337
self closed
Improper Validation of "?_target_url" parameter leads to open redirect at Oauth
rook1337
not applicable
No rate limiting on Gradio authentication
rook1337
informative
Medium
Arbitrary file reading caused by path traversal
7resp4ss
duplicate
Critical
stored xss via svg file upload
ranjit-git
informative
Critical
timing attack to guess the password
ranjit-git
Medium
$125CVE-2024-1729
Local File Inclusion
pinkdraconian
High
$750CVE-2024-1728
[gradio-app/gradio] Secrets exfiltration via the [deploy+test-visual.yml] workfl...
nikitastupin
High
$750CVE-2024-1540
CSRF allows attacker to upload many large files to victim
pinkdraconian
Medium
$125CVE-2024-1727
Local file read by calling arbitrary methods of Components class
ozelis
High
$750CVE-2024-1561
ReDos in external_utils.py #26
lujiefsi
spam
ReDoS
yetingli
spam
Arbitrary File Reading due to Lack of Input Filepath Validation
williwollo
High
$750CVE-2024-0964
Insecure Temporary File Handling in Gradio's File Upload API
williwollo
informative
High
Gradio chatbot vulnerable to HTML injection,Open Redirect and SSRF
geekysherlock
informative
Medium
Certificate validation is turned off for HTTPS requests
dmandefy
informative
High
ssrf bug to scan internet network
ranjit-git
Medium
$125CVE-2024-1183
Improper Certificate Validation
binghzal
informative
Medium
Server-side request forgery
binghzal
informative
Critical
Source repository compromise via github actions workflow
arunstar
Critical
$1500CVE-2023-6572
Command Injection
ready-research
informative
Critical
Insufficient SSRF protection allow gradio app to proxy arbitrary URLs
vvxhid
High
$750CVE-2024-2206
Insufficient SSRF protection allow gradio app to proxy arbitrary URLs
vvxhid
informative
High
SSRF Vulnerability Found in Gradio
eggdkk
informative
Medium
Cross-site Scripting (XSS) - Reflected
rajbabai8
informative
Critical