SecBoard
Zurück zur CVE-Übersicht

CVE-2026-48545

MEDIUM(6.8)

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Risk Signal Score17/100 — NIEDRIG
  • CVSS 6.8 — Mittel

EPSS-Score

0%

Exploit-Wahrscheinlichkeit (30 Tage)

CVSS Score

6.8

Technische Schwere

Beschreibung

Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.

GitHub Advisories

GHSA-7hp7-4p35-3cx2HIGH

Gradio contains a cookie injection vulnerability

pip/gradio6.15.0
GitHub Advisory

Referenzen