Vysecurity

**Name of the Vulnerable Software and Affected Versions** sd-webui-infinite-image-browsing extension versions before 977815a **Description** The issue allows remote attackers to read any local file via the "/file?path=" endpoint in the URL, as demonstrated by reading /proc/self/environ to discover credentials, when Gradio authentication is enabled without secret key configuration. **Recommendations** For versions before 977815a, consider disabling Gradio authentication or configuring a secret key to mitigate the risk of exploitation. As a temporary workaround, restrict access to the "/file?path=" endpoint to minimize the risk of reading local files.