PT-2026-54771 · Gradio · Gradio

Abidlabs

·

Published

2026-07-01

·

Updated

2026-07-02

·

CVE-2026-49119

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Gradio versions prior to 6.16.0
Description A path traversal issue exists in the preprocess() function of the FileExplorer component. Unauthenticated attackers can escape the configured root directory by providing path segments that include absolute paths or directory traversal sequences. This occurs because the os.path.join function may discard the root dir prefix when processing these crafted segments, leading to arbitrary file read or the exposure of sensitive files located outside the intended directory.
Recommendations Update Gradio to version 6.16.0 or later.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49119

Affected Products

Gradio