CVE-2026-28416: Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Fo
highvulnerability
security
Summary
Gradio, a Python package for building AI demos, had a vulnerability (SSRF, or server-side request forgery, where an attacker tricks a server into making requests it shouldn't) before version 6.6.0 that let attackers access internal services and private networks by hosting a malicious Gradio Space that victims load with the `gr.load()` function.
Solution / Mitigation
Update Gradio to version 6.6.0 or later, which fixes the issue.
Vulnerability Details
CVSS Score
8.2(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
HuggingFace
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-28416
First tracked: February 27, 2026 at 07:07 PM
Classified by LLM (prompt v3) · confidence: 95%