CRITICAL🇵🇱 Wersja polska

CVE-2024-39236

CVSS 9.8v3.1pub. 2024-07-01upd. 2025-06-27

Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes this because the report is about a user attacking himself.

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and involves the component_meta.py component processing input in a way that allows injection and execution of arbitrary code. An attacker can provide a crafted payload that will be interpreted and executed by the application. The vendor (Gradio Project) questions the report, pointing out that the described scenario does not pose a real threat to other users, as the attacker would have to target their own environment.

Impact

If the vulnerability is successfully exploited, the attacker can gain full control over the confidentiality, integrity, and availability of the system (CVSS vector scores C:H/I:H/A:H), which potentially includes arbitrary code execution on the server.

Mitigation & patch

Patches available from the vendor should be applied according to the references. Due to the vendor's dispute regarding the validity of the vulnerability, it is recommended to monitor official Gradio project communications and update to the latest available version of the library.

Who is affected

Gradio version 4.36.1 (Gradio Project)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Gradio Project Gradio

    APP
    Gradio Project
    4.36.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-4253CRITICAL9.1PL ✓ten sam produkt

Command Injection w workflow CI/CD repozytorium Gradio (GitHub Actions)

CVE-2024-0964CRITICAL9.4PL ✓ten sam produkt

Path Traversal (LFI) w Gradio poprzez złośliwą wartość JSON w API

CVE-2026-49119HIGH8.7ten sam produkt

Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess() metho...

CVE-2026-48545HIGH7.6ten sam produkt

Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform...

CVE-2026-28414HIGH7.5ten sam produkt

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps runn...