216.73.217.80

CVE-2026-48545

· Published 27/05/2026 15:16 · Modified 27/05/2026 17:16

Labels: CVE-2026-48545 2026-05-27CVE-2026-48545CWE-384[email protected]

Essential information

Published
27/05/2026 15:16
Modified
27/05/2026 17:16
Author
Creator
CVSS
7.6 HIGH (v3) 7.6 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
gradio / gradio cpe:2.3:a:gradio:gradio:<6.15.0:*:*:*:*:*:*:*

References