CVE-2026-48545EPSS p27.3%

CVE-2026-48545CVE-2026-48545

gradio_project / gradio

Description

Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.

Scoring

CVSS 6.8 ()
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS0.36% probability of exploitation · percentile 27.3% · 2026-06-19T12:03:05Z
Last modified2026-06-02

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-28416
CVE
CVE-2025-67298
CVE
CVE-2026-43625
CVE
CVE-2026-10783
CVE
CVE-2026-38566
CVE
CVE-2026-34356
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.