29 matches found
EUVD-2025-6797
Malicious code in bioql PyPI...
CVE-2025-27781
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference.py. modelfile in inference.py as well as modelfile in tts.py take user-supplied input e.g. a path to a model and pass that value to the changechoices and later to getspeakersid...
CVE-2025-27774
Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery SSRF and file write in modeldownload.py line 156 in 3.2.7. The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for other vulnerabilities on the...
CVE-2025-27787
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to denial of service DoS in restart.py. modelname in train.py takes user input, and passes it to the stoptrain function in restart.py, which uses it construct a path to a folder with config.json. That config.json is...
CVE-2025-27785
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file read in train.py's exportindex function. This issue may lead to reading arbitrary files on the Applio server. It can also be used in conjunction with blind server-side request forgery to read files...
CVE-2025-27782
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file write in inference.py. This issue may lead to writing arbitrary files on the Applio server. It can also be used in conjunction with an unsafe deserialization to achieve remote code execution. As of...
CVE-2025-27779
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in modelblender.py lines 20 and 21. modelfusiona and modelfusionb from voiceblender.py take user-supplied input e.g. a path to a model and pass that value to the runmodelblenderscript and...
CVE-2025-27777
Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery SSRF in modeldownload.py line 195 in 3.2.7. The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for other vulnerabilities on the server itself ...
CVE-2025-27774 Applio allows SSRF and file write in model_download.py
Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery SSRF and file write in modeldownload.py line 156 in 3.2.7. The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for other vulnerabilities on the...
CVE-2025-27775 Applio allows SSRF and file write in model_download.py
Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery SSRF and file write in modeldownload.py line 143 in 3.2.7. The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for other vulnerabilities on the...
CVE-2025-27776
CVE-2025-27776 concerns Applio, a voice conversion tool. The connected sources confirm that versions 3.2.7 and earlier are vulnerable to server-side request forgery (SSRF) and to arbitrary file write via model_download.py (line 240 in 3.2.7, with other references noting line numbers 195 and 156 i...
CVE-2025-27776 Applio allows SSRF and file write in model_download.py
Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery SSRF and file write in modeldownload.py line 240 in 3.2.7. The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for other vulnerabilities on the...
CVE-2025-27777
CVE-2025-27777 affects Applio (voice conversion tool). Versions ≤ 3.2.7 contain a server‑side request forgery (SSRF) in model_download.py (line 195 in 3.2.7) that can be used to issue requests on behalf of the Applio server. The issue is described as a blind SSRF, with potential to probe internal...
CVE-2025-27779 Applio allows unsafe deserialization in model_blender.py
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in modelblender.py lines 20 and 21. modelfusiona and modelfusionb from voiceblender.py take user-supplied input e.g. a path to a model and pass that value to the runmodelblenderscript and...
CVE-2025-27782 Applio allows arbitrary file write in inference.py
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file write in inference.py. This issue may lead to writing arbitrary files on the Applio server. It can also be used in conjunction with an unsafe deserialization to achieve remote code execution. As of...
CVE-2025-27783 Applio allows arbitrary file write in train.py
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file write in train.py. This issue may lead to writing arbitrary files on the Applio server. It can also be used in conjunction with an unsafe deserialization to achieve remote code execution. As of tim...
CVE-2025-27784 Applio allows arbitrary file read in train.py export_pth function
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file read in train.py's exportpth function. This issue may lead to reading arbitrary files on the Applio server. It can also be used in conjunction with blind server-side request forgery to read files...
CVE-2025-27784
Applio CVE-2025-27784 affects Applio voice conversion tool (versions 3.2.8-bugfix and prior). The issue is an arbitrary file read in train.py's export_pth function, allowing reading arbitrary server files. It can be chained with blind server-side request forgery (SSRF) to access files on internal...
CVE-2025-27784 Applio allows arbitrary file read in train.py export_pth function
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file read in train.py's exportpth function. This issue may lead to reading arbitrary files on the Applio server. It can also be used in conjunction with blind server-side request forgery to read files...
CVE-2025-27787 Applio allows a DoS in restart.py
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to denial of service DoS in restart.py. modelname in train.py takes user input, and passes it to the stoptrain function in restart.py, which uses it construct a path to a folder with config.json. That config.json is...