PatchSiren

gradio-app CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM gradio-app CVE published 2026-07-08

CVE-2026-59806

CVE-2026-59806 is an open redirect and server-side request forgery vulnerability in Gradio before 6.20.0. The vulnerability allows attackers to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to the file_fetch() function in the /gradio_api/file= endpoint. Affected product deployments should be reviewed for exposure, and owners should be assigned for fo [truncated]

HIGH gradio-app CVE published 2026-05-27

CVE-2026-48545

Gradio versions prior to 6.15.0 contain a session fixation vulnerability stemming from a shared module-level HTTP client in the reverse proxy endpoint. The shared client stores cookies returned by any Hugging Face Space and automatically replays them into subsequent proxy requests to other Spaces, enabling cross-Space session fixation. An attacker controlling a malicious Space can inject a parent-domain c [truncated]