CVE-2026-49119: Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess() method that all
Summary
Gradio versions before 6.16.0 contain a path traversal vulnerability (a security flaw where attackers bypass restrictions on which directories they can access) in the FileExplorer component's preprocess() method. Unauthenticated attackers can supply specially crafted file paths that cause the system to escape the intended root directory and read arbitrary files outside the configured location, potentially exposing sensitive data.
Solution / Mitigation
Update Gradio to version 6.16.0 or later.
Vulnerability Details
7.5(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
network
low
none
none
July 1, 2026
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-49119
First tracked: July 1, 2026 at 08:09 PM
Classified by LLM (prompt v3) · confidence: 92%