Cyber Resilience

CVE-2026-49119

HighPublic PoC

Published: 01 July 2026

Published
01 July 2026
Modified
02 July 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0069 48.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-49119 is a high-severity Path Traversal (CWE-22) vulnerability in Gradio Project Gradio. Its CVSS base score is 8.7 (High).

Operationally, ranked at the 48.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess() method that allows unauthenticated attackers to escape the configured root directory by supplying path segments containing directory traversal sequences or absolute paths. Attackers can provide crafted path…

more

segments that cause os.path.join to discard the root_dir prefix entirely, resulting in arbitrary file read or exposure of sensitive files outside the intended directory.

CWE(s)

Related Threats

CVEs Like This One

CVE-2024-51751Same product: Gradio Project Gradio
CVE-2021-43831Same product: Gradio Project Gradio
CVE-2023-51449Same product: Gradio Project Gradio
CVE-2024-47166Same product: Gradio Project Gradio
CVE-2024-1728Same product: Gradio Project Gradio
CVE-2024-0964Same product: Gradio Project Gradio
CVE-2024-4941Same product: Gradio Project Gradio
CVE-2024-47164Same product: Gradio Project Gradio
CVE-2024-47868Same product: Gradio Project Gradio
CVE-2022-40976Shared CWE-22

Affected Assets

gradio project
gradio
≤ 6.16.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References