Cross-site scripting in Gradio - CVE-2024-47872
Published: October 10, 2024 / Updated: April 28, 2026
Gradio
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in file upload handling and display of uploaded files when processing uploaded HTML, JavaScript, or SVG files. A remote user can upload a crafted file to execute arbitrary script in a victim's browser.
User interaction is required when another user downloads or views the uploaded file.