PYSEC-2026-1418

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/gradio/PYSEC-2026-1418.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1418
Aliases
Published
2026-07-07T14:34:52.925368Z
Modified
2026-07-07T17:47:40.462312317Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Gradio Path Traversal vulnerability
Details

A vulnerability in the gradio-app/gradio repository, version git 67e4044, allows for path traversal on Windows OS. The implementation of the blocked_path functionality, which is intended to disallow users from reading certain files, is flawed. Specifically, while the application correctly blocks access to paths like 'C:/tmp/secret.txt', it fails to block access when using NTFS Alternate Data Streams (ADS) syntax, such as 'C:/tmp/secret.txt::$DATA'. This flaw can lead to unauthorized reading of blocked file paths.

References

Affected packages

PyPI / gradio

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
5.0.1

Affected versions

0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.2.1
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.4.0
0.4.1
0.4.2
0.4.4
0.5.0
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.8.0
0.8.1
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9.2
0.9.9.3
0.9.9.5
0.9.9.6
0.9.9.7
0.9.9.8
0.9.9.9
0.9.9.9.2
1.*
1.0.0a1
1.0.0a3
1.0.0a4
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.8
1.1.8.1
1.1.9
1.2.2
1.2.3
1.3.0
1.3.1
1.3.2
1.4.0
1.4.2
1.4.3
1.4.4
1.5.0
1.5.1
1.5.3
1.5.4
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
2.*
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.1.0
2.1.1
2.1.2
2.1.4
2.1.6
2.1.7
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9a0
2.2.9a2
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.3.0a0
2.3.0b99
2.3.0b101
2.3.0b102
2.3.0
2.3.3
2.3.4
2.3.5b0
2.3.5
2.3.6
2.3.7b0
2.3.7b1
2.3.7b2
2.3.7
2.3.8b0
2.3.9
2.4.0a0
2.4.0
2.4.1
2.4.2
2.4.4
2.4.5
2.4.6
2.4.7b0
2.4.7b2
2.4.7b3
2.4.7b4
2.4.7b5
2.4.7b6
2.4.7b7
2.4.7b8
2.4.7b9
2.5.0
2.5.1
2.5.2
2.5.3
2.5.8a0
2.6.0
2.6.1a0
2.6.1b0
2.6.1b3
2.6.1
2.6.2
2.6.3
2.6.4b0
2.6.4b2
2.6.4b3
2.6.4
2.7.0a101
2.7.0a102
2.7.0b70
2.7.0
2.7.5
2.7.5.1
2.7.5.2b0
2.7.5.2
2.8.0a100
2.8.0b0
2.8.0b2
2.8.0b3
2.8.0b4
2.8.0b5
2.8.0b6
2.8.0b10
2.8.0b12
2.8.0b20
2.8.0b22
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.11
2.8.12
2.8.13
2.8.14
2.9.0b0
2.9.0b1
2.9.0b2
2.9.0b3
2.9.0b5
2.9.0b6
2.9.0b7
2.9.0b8
2.9.0b9
2.9.0b10
2.9b11
2.9b12
2.9b13
2.9b14
2.9b15
2.9b20
2.9b21
2.9b22
2.9b23
2.9b24
2.9b25
2.9b26
2.9b27
2.9b28
2.9b30
2.9b31
2.9b32
2.9b33
2.9b40
2.9b48
2.9b50
2.9.0
2.9.0.1
2.9.1
2.9.2
2.9.3
2.9.4
3.*
3.0b0
3.0b1
3.0b2
3.0b5
3.0b6
3.0b8
3.0b9
3.0b10
3.0
3.0.1b120
3.0.1b121
3.0.1b300
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6b1
3.0.6b2
3.0.6b3
3.0.6
3.0.7
3.0.8b1
3.0.8
3.0.9b10
3.0.9b11
3.0.9b20
3.0.9
3.0.10b2
3.0.10b16
3.0.10
3.0.11b1
3.0.11
3.0.12
3.0.13b13
3.0.13b15
3.0.13b100
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18b0
3.0.18
3.0.19b0
3.0.19b1
3.0.19b2
3.0.19
3.0.20.dev0
3.0.20
3.0.21
3.0.22
3.0.23.dev1
3.0.23
3.0.24
3.0.25
3.0.26
3.1.0
3.1.1
3.1.2
3.1.3a0
3.1.3a2
3.1.3a3
3.1.3a4
3.1.3a5
3.1.3
3.1.4b0
3.1.4b1
3.1.4b2
3.1.4b3
3.1.4b4
3.1.4b5
3.1.4
3.1.5b1
3.1.5b2
3.1.5b3
3.1.5b4
3.1.5b5
3.1.5b7
3.1.5b8
3.1.5b9
3.1.5b10
3.1.5
3.1.6b1
3.1.6
3.1.7
3.1.8b0
3.1.8b2
3.1.8b3
3.1.8b4
3.1.8b6
3.2
3.2.1b0
3.2.1b1
3.2.1b2
3.3b0
3.3b1
3.3
3.3.1
3.4b0
3.4b1
3.4b2
3.4b3
3.4b5
3.4
3.4.1
3.5
3.6.0b1
3.6.0b2
3.6.0b3
3.6.0b7
3.6.0b10
3.6
3.7
3.8b1
3.8b2
3.8
3.8.1.dev1
3.8.1
3.8.2
3.9
3.9.1
3.10.0
3.10.1
3.11.0
3.12.0b1
3.12.0b2
3.12.0b3
3.12.0b6
3.12.0b7
3.12.0
3.13.0b1
3.13.0
3.13.1b0
3.13.1b1
3.13.1b2
3.13.1
3.13.2
3.14.0a1
3.14.0
3.15.0
3.16.0
3.16.1b1
3.16.1
3.16.2
3.17.0
3.17.1b1
3.17.1b2
3.17.1
3.18.0
3.18.1b1
3.18.1b2
3.18.1b3
3.18.1b4
3.18.1b5
3.18.1b6
3.18.1b7
3.19.0
3.19.1
3.20.0b1
3.20.0b2
3.20.0
3.20.1
3.21.0
3.22.0
3.22.1b1
3.22.1
3.23.0
3.23.1b1
3.23.1b2
3.23.1b3
3.24.0
3.24.1
3.25.0
3.25.1b1
3.25.1b2
3.26.0
3.27.0
3.28.0
3.28.1
3.28.2
3.28.3
3.28.4b0
3.29.0
3.30.0
3.31.0
3.32.0
3.33.0
3.33.1
3.34.0
3.35.0
3.35.1
3.35.2
3.36.0
3.36.1
3.37.0
3.38.0
3.39.0
3.40.0
3.40.1
3.41.0
3.41.1
3.41.2
3.42.0
3.43.0
3.43.1
3.43.2
3.44.0
3.44.1
3.44.2
3.44.3
3.44.4
3.45.0b0
3.45.0b9
3.45.0b10
3.45.0b11
3.45.0b12
3.45.0b13
3.45.0
3.45.1
3.45.2
3.46.0
3.46.1
3.47.0
3.47.1
3.48.0
3.49.0
3.50.0
3.50.1
3.50.2
4.*
4.0.0b15
4.0.0
4.0.1
4.0.2
4.1.0
4.1.1
4.1.2
4.2.0
4.3.0
4.4.0
4.4.1
4.5.0
4.7.0
4.7.1
4.8.0
4.9.0
4.9.1
4.10.0
4.11.0
4.12.0
4.13.0
4.14.0
4.15.0
4.16.0
4.17.0
4.18.0
4.19.0
4.19.1
4.19.2
4.20.0
4.20.1
4.21.0
4.22.0
4.23.0
4.24.0
4.25.0
4.26.0
4.27.0
4.28.0
4.28.1
4.28.2
4.28.3
4.29.0
4.31.0
4.31.1
4.31.2
4.31.3
4.31.4
4.31.5
4.32.0
4.32.1
4.32.2
4.33.0
4.35.0
4.36.0
4.36.1
4.37.1
4.37.2
4.38.0
4.38.1
4.39.0
4.40.0
4.41.0
4.42.0
4.43.0
4.44.0
4.44.1
5.*
5.0.0b1
5.0.0b5
5.0.0b6
5.0.0b7
5.0.0b8
5.0.0b9
5.0.0b10
5.0.0
5.0.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/gradio/PYSEC-2026-1418.yaml"