PT-2026-54771 · Gradio · Gradio
Abidlabs
·
Published
2026-07-01
·
Updated
2026-07-02
·
CVE-2026-49119
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Gradio versions prior to 6.16.0
Description
A path traversal issue exists in the
preprocess() function of the FileExplorer component. Unauthenticated attackers can escape the configured root directory by providing path segments that include absolute paths or directory traversal sequences. This occurs because the os.path.join function may discard the root dir prefix when processing these crafted segments, leading to arbitrary file read or the exposure of sensitive files located outside the intended directory.Recommendations
Update Gradio to version 6.16.0 or later.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gradio