EUVD-2025-6790

Malicious code in bioql PyPI...

EUVD-2025-6794

Malicious code in bioql PyPI...

CVE-2025-27787

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to denial of service DoS in restart.py. modelname in train.py takes user input, and passes it to the stoptrain function in restart.py, which uses it construct a path to a folder with config.json. That config.json is...

CVE-2025-27786

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file removal in core.py. outputttspath in tts.py takes arbitrary user input and passes it to runttsscript function in core.py, which checks if the path in outputttspath exists, and if yes, removes that...

CVE-2025-27775

CVE-2025-27775 affects Applio (voice conversion tool), versions 3.2.7 and earlier. The vulnerability is in a server-side request forgery (SSRF) and a file write in model_download.py (line 143 in 3.2.7). The blind SSRF enables the Applio server to issue requests on its behalf to internal or reacha...

CVE-2025-27778 Applio allows unsafe deserialization in infer.py

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in infer.py. The issue can lead to remote code execution. As of time of publication, a fix is available on the main branch of the Applio repository but not attached to a numbered release...

CVE-2025-27779 Applio allows unsafe deserialization in model_blender.py

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in modelblender.py lines 20 and 21. modelfusiona and modelfusionb from voiceblender.py take user-supplied input e.g. a path to a model and pass that value to the runmodelblenderscript and...

CVE-2025-27779

CVE-2025-27779 (Applio) : Affects Applio, versions 3.2.8-bugfix and prior. The issue is unsafe deserialization in the model_blender.py file (lines 20–21) triggered when user-supplied input (e.g., a model path) is passed through voice_blender.py’s model_fusion_a/b to run_model_blender_script and e...

CVE-2025-27782

The CVE-2025-27782 entry concerns Applio, a voice-conversion tool. Affected are versions 3.2.8-bugfix and earlier, where the vulnerability exists in inference.py allowing arbitrary file write on the server. This can be combined with unsafe deserialization to achieve remote code execution. As of p...

CVE-2025-27787 Applio allows a DoS in restart.py

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to denial of service DoS in restart.py. modelname in train.py takes user input, and passes it to the stoptrain function in restart.py, which uses it construct a path to a folder with config.json. That config.json is...

CVE-2025-27781 Applio allows unsafe deserialization in inference.py

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference.py. modelfile in inference.py as well as modelfile in tts.py take user-supplied input e.g. a path to a model and pass that value to the changechoices and later to getspeakersid...

CVE-2025-27780 Applio allows unsafe deserialization in model_information.py

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in modelinformation.py. modelname in modelinformation.py takes user-supplied input e.g. a path to a model and pass that value to the runmodelinformationscript and later to modelinformation...