{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-04T07:21:06.815","vulnerabilities":[{"cve":{"id":"CVE-2026-28416","sourceIdentifier":"security-advisories@github.com","published":"2026-02-27T22:16:24.667","lastModified":"2026-03-05T13:03:21.533","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue."},{"lang":"es","value":"Gradio es un paquete Python de código abierto diseñado para la creación rápida de prototipos. Antes de la versión 6.6.0, una vulnerabilidad de falsificación de petición del lado del servidor (SSRF) en Gradio permite a un atacante realizar peticiones HTTP arbitrarias desde el servidor de una víctima al alojar un Gradio Space malicioso. Cuando una aplicación víctima utiliza 'gr.load()' para cargar un Space controlado por el atacante, se confía en la 'proxy_url' maliciosa de la configuración y se añade a la lista de permitidos, lo que permite al atacante acceder a servicios internos, endpoints de metadatos en la nube y redes privadas a través de la infraestructura de la víctima. La versión 6.6.0 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*","versionEndExcluding":"6.6.0","matchCriteriaId":"59BB794F-B63D-4D86-B0F0-E60AF9017444"}]}]}],"references":[{"url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}