{"data":{"id":"7703b21f-1c0d-4ed4-89dc-de0eef924195","title":"CVE-2026-48545: Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Spa","summary":"Gradio versions before 6.15.0 have a cookie injection vulnerability that lets attackers perform session fixation (tricking a system into using a fake session ID) across multiple user spaces. An attacker controlling one Gradio Space can inject a cookie into a shared HTTP client (a tool that sends web requests) that automatically gets sent to all other legitimate Spaces, affecting every user on that Gradio deployment.","solution":"Update Gradio to version 6.15.0 or later. The vulnerability is fixed in the release available at https://github.com/gradio-app/gradio/releases/tag/gradio%406.15.0.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-48545","publishedAt":"2026-05-27T15:16:31.020Z","cveId":"CVE-2026-48545","cweIds":["CWE-384"],"cvssScore":"6.8","cvssSeverity":"medium","severity":"medium","attackType":[],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Gradio","HuggingFace Spaces"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","attackVector":"network","attackComplexity":"high","privilegesRequired":"none","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-05-27T15:16:31.020Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}