Features
- #13422
96d4fd1- Make the session heartbeat interval configurable via theGRADIO_HEARTBEAT_INTERVALenvironment variable (#13346). Thanks @wjddnwp29! - #13459
6320116- Show a friendly landing page (instead of a raw JSON-RPC error) when the MCP endpoint is opened in a browser. Thanks @ShirGanon!
Fixes
- #13437
97d541f- Fix path traversal ingr.FileExplorer.preprocessby validating selected paths with_safe_join(consistent withls()), rejecting absolute/..paths that escaperoot_dir. Thanks @abidlabs! - #13438
010ee63- Fix open-redirect bypass ingradio.oauth._redirect_to_targetwhere 4+ leading slashes (or backslashes) in_target_urlproduced a scheme-relative redirect to an external host, restoring CVE-2026-28415. Thanks @abidlabs! - #13240
0d670ad- Fix browser freeze when a dataframe's value is set (e.g. via a tab select event), and only dispatch the tabs select event when the selected tab actually changes. Thanks @freddyaboulton! - #13461
702a8b1- Fix runtime language switching not re-translating component labels/values (only the footer updated).@gradio/utilsresolved its own duplicatesvelte-i18ninstance whose locale store was never updated; the retranslation trigger now uses the live formatter store injected by@gradio/core. Thanks @abidlabs! - #13458
939e84c- Defer Node front proxy startup until Python is ready in SSR mode. Thanks @pngwn! - #13436
48d0e27- Fix SSRF inImage/GallerySVG postprocessing andAudiostreaming postprocessing by routing user-influenced URL fetches throughsafehttpx. Thanks @abidlabs! - #13451
29bd7a0-gr.Dropdown()Fixes. Thanks @dawoodkhan82!