21 matches found
EUVD-2025-13510
Malicious code in bioql PyPI...
EUVD-2025-13501
Malicious code in bioql PyPI...
EUVD-2025-13513
Malicious code in bioql PyPI...
EUVD-2025-6793
Malicious code in bioql PyPI...
CVE-2024-37145
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/chatflows-streaming/id endpoint. If the default configuration is used unauthenticated, an attacker may be able...
CVE-2025-43847
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckptpath2 variable takes user input e.g. a path to a model and passes it to the extractsmallmodel function in processckpt.py, which uses ...
CVE-2025-43842
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables expdir1, np7, trainsetdir4 and sr2 take user input and pass it to the preprocessdataset function, which concatenates them into a...
CVE-2025-43847 GHSL-2025-017_Retrieval-based-Voice-Conversion-WebUI
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckptpath2 variable takes user input e.g. a path to a model and passes it to the extractsmallmodel function in processckpt.py, which uses ...
CVE-2025-43847 GHSL-2025-017_Retrieval-based-Voice-Conversion-WebUI
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckptpath2 variable takes user input e.g. a path to a model and passes it to the extractsmallmodel function in processckpt.py, which uses ...
CVE-2025-43842
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables expdir1, np7, trainsetdir4 and sr2 take user input and pass it to the preprocessdataset function, which concatenates them into a...
CVE-2025-43845
CVE-2025-43845 affects Retrieval-based-Voice-Conversion-WebUI (RVC-Project) up to version 2.2.231006. The root cause is a vulnerable ckpt_path2 handling: user input is passed to change_info_ which opens the path (altering to train.log) and feeds file contents to eval, enabling remote code executi...
CVE-2025-43844 GHSL-2025-014_Retrieval-based-Voice-Conversion-WebUI
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables expdir1, among others, take user input and pass it to the clicktrain function, which concatenates them into a command that is run on...
CVE-2025-43843 GHSL-2025-013_Retrieval-based-Voice-Conversion-WebUI
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables expdir1, np7 and f0method8 take user input and pass it into the extractf0feature function, which concatenates them into a command th...
CVE-2025-43842
The CVE-2025-43842 entry concerns Retrieval-based-Voice-Conversion-WebUI (VITS-based). Affected: versions 2.2.231006 and earlier. The root cause: user-provided inputs in variables exp_dir1, np7, trainset_dir4, and sr2 are fed into preprocess_dataset, concatenated into a server-side command, enabl...
CVE-2025-27775
Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery SSRF and file write in modeldownload.py line 143 in 3.2.7. The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for other vulnerabilities on the...
CVE-2025-27777
Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery SSRF in modeldownload.py line 195 in 3.2.7. The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for other vulnerabilities on the server itself ...
Flowise Path Injection at /api/v1/openai-assistants-file
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the /api/v1/openai-assistants-file endpoint in index.ts is vulnerable to arbitrary file read due to lack of sanitization of the fileName body parameter. No known patches for this...
CVE-2024-36420
Flowise CVE-2024-36420 affects Flowise v1.4.3, where the /api/v1/openai-assistants-file endpoint in index.ts is vulnerable to arbitrary file read due to insufficient sanitization of the fileName body parameter. The issue enables reading arbitrary files on the server and is documented across multi...
GHSA-G9PH-R9HC-34R8 Erxes vulnerable to Cross-site Scripting
Erxes, an experience operating system XOS with a set of plugins, is vulnerable to cross-site scripting in all versions. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no known patches...
CVE-2021-32858 esdoc-publish-html-plugin vulnerable to Cross-site Scripting
esdoc-publish-html-plugin is a plugin for the document maintenance software ESDoc. TheHTML sanitizer in esdoc-publish-html-plugin 1.1.2 and prior can be bypassed which may lead to cross-site scripting XSS issues. There are no known patches for this issue...