CVE-2024-39236
CRITICALGradio 4.36.1 - Code Injection via Component Meta
Title source: llmDescription
Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes this because the report is about a user attacking himself.
References (3)
Core 3
Core References
Exploit, Third Party Advisory
https://github.com/Aaron911/PoC/blob/main/Gradio.md
Third Party Advisory
https://github.com/advisories/GHSA-9v2f-6vcg-3hgv
Exploit, Issue Tracking, Vendor Advisory
https://github.com/gradio-app/gradio/issues/8853
Scores
CVSS v3
9.8
EPSS
0.0188
EPSS Percentile
83.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
gradio_project/gradio
4.36.1
pypi/Gradio
PyPI
Published
Jul 01, 2024
Tracked Since
Feb 18, 2026