52 matches found
CVE-2025-43850
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckptdir variable takes user input e.g. a path to a model and passes it to the changeinfo function in export.py, which uses it to load the...
CVE-2025-43850 GHSL-2025-020_Retrieval-based-Voice-Conversion-WebUI
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckptdir variable takes user input e.g. a path to a model and passes it to the changeinfo function in export.py, which uses it to load the...
CVE-2025-43849 GHSL-2025-019_Retrieval-based-Voice-Conversion-WebUI
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpta and cpktb variables take user input e.g. a path to a model and pass it to the merge function in processckpt.py, which uses them...
CVE-2025-43849 GHSL-2025-019_Retrieval-based-Voice-Conversion-WebUI
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpta and cpktb variables take user input e.g. a path to a model and pass it to the merge function in processckpt.py, which uses them...
CVE-2025-43846
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckptpath1 variable takes user input e.g. a path to a model and passes it to the showinfo function in processckpt.py, which uses it to loa...
CVE-2025-43848
CVE-2025-43848 affects Retrieval-based-Voice-Conversion-WebUI (RVC-Project) up to version 2.2.231006. The flaw is unsafe deserialization in process_ckpt.py: ckpt_path0 accepts user input (e.g., a model path) and passes it to torch.load via change_info, enabling remote code execution. At publicati...
CVE-2025-43846 GHSL-2025-016_Retrieval-based-Voice-Conversion-WebUI
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckptpath1 variable takes user input e.g. a path to a model and passes it to the showinfo function in processckpt.py, which uses it to loa...
PT-2025-19766 · Unknown · Retrieval-Based-Voice-Conversion-Webui
Name of the Vulnerable Software and Affected Versions: Retrieval-based-Voice-Conversion-WebUI versions 2.2.231006 and prior Description: Retrieval-based-Voice-Conversion-WebUI, a voice changing framework based on VITS, is susceptible to unsafe deserialization. The model choose variable accepts...
PT-2025-19750 · Vits +2 · Vits +2
Name of the Vulnerable Software and Affected Versions: Retrieval-based-Voice-Conversion-WebUI versions 2.2.231006 and prior Description: The issue concerns unsafe deserialization in the Retrieval-based-Voice-Conversion-WebUI voice changing framework, which is based on VITS. The ckpt path2 variabl...
CVE-2025-27779
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in modelblender.py lines 20 and 21. modelfusiona and modelfusionb from voiceblender.py take user-supplied input e.g. a path to a model and pass that value to the runmodelblenderscript and...
AgentScope Deserialization Vulnerability
A vulnerability in the RpcAgentServerLauncher class of modelscope/agentscope v0.0.6a3 allows for remote code execution RCE via deserialization of untrusted data using the dill library. The issue occurs in the AgentServerServicer.createagent method, where serialized input is deserialized using...
CVE-2025-27778
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in infer.py. The issue can lead to remote code execution. As of time of publication, a fix is available on the main branch of the Applio repository but not attached to a numbered release...
CVE-2025-27780
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in modelinformation.py. modelname in modelinformation.py takes user-supplied input e.g. a path to a model and pass that value to the runmodelinformationscript and later to modelinformation...
CVE-2025-27778 Applio allows unsafe deserialization in infer.py
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in infer.py. The issue can lead to remote code execution. As of time of publication, a fix is available on the main branch of the Applio repository but not attached to a numbered release...
CVE-2025-27781
Applio is affected by CVE-2025-27781 through unsafe deserialization in the inference.py module (and related tts.py input handling). Versions 3.2.8-bugfix and prior are vulnerable because user-supplied model_file values are passed to change_choices/get_speakers_id, which loads models with torch.lo...
CVE-2025-27781 Applio allows unsafe deserialization in inference.py
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference.py. modelfile in inference.py as well as modelfile in tts.py take user-supplied input e.g. a path to a model and pass that value to the changechoices and later to getspeakersid...
CVE-2025-27781 Applio allows unsafe deserialization in inference.py
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference.py. modelfile in inference.py as well as modelfile in tts.py take user-supplied input e.g. a path to a model and pass that value to the changechoices and later to getspeakersid...
CVE-2025-27780 Applio allows unsafe deserialization in model_information.py
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in modelinformation.py. modelname in modelinformation.py takes user-supplied input e.g. a path to a model and pass that value to the runmodelinformationscript and later to modelinformation...
Linux Distros Unpatched Vulnerability : CVE-2023-37895
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to including...
Exploit for Deserialization of Untrusted Data in Ibm Sterling_B2B_Integrator
IBM Sterling B2B Integrator PoC Proof of concept code for the...