cbcvebase.

Iahispano Applio vulnerabilities

14 known vulnerabilities affecting iahispano/applio.

Total CVEs
14
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH4MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2025-27782P2CRITICALCVSS 9.8≤ 3.2.8-bugfix2025-03-19
CVE-2025-27782 [CRITICAL] CWE-22 CVE-2025-27782: Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file write in inference.py. This issue may lead to writing arbitrary files on the Applio server. It can also be used in conjunction with an unsafe deserialization to achieve remote code execution. As of time of publication, no known patches are available.
nvd
CVE-2025-27783P2CRITICALCVSS 9.8≤ 3.2.8-bugfix2025-03-19
CVE-2025-27783 [CRITICAL] CWE-22 CVE-2025-27783: Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file write in train.py. This issue may lead to writing arbitrary files on the Applio server. It can also be used in conjunction with an unsafe deserialization to achieve remote code execution. As of time of publication, no known patches are available.
nvd
CVE-2025-27779P2CRITICALCVSS 9.8≤ 3.2.8-bugfix2025-03-19
CVE-2025-27779 [CRITICAL] CWE-502 CVE-2025-27779: Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserial Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in `model_blender.py` lines 20 and 21. `model_fusion_a` and `model_fusion_b` from voice_blender.py take user-supplied input (e.g. a path to a model) and pass that value to the `run_model_blender_script` and later to `model_blender` function,
nvd
CVE-2025-27778P2CRITICALCVSS 9.8≤ 3.2.8-bugfix2025-03-19
CVE-2025-27778 [CRITICAL] CWE-502 CVE-2025-27778: Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserial Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in `infer.py`. The issue can lead to remote code execution. As of time of publication, a fix is available on the `main` branch of the Applio repository but not attached to a numbered release.
nvd
CVE-2025-27780P2CRITICALCVSS 9.8≤ 3.2.8-bugfix2025-03-19
CVE-2025-27780 [CRITICAL] CWE-502 CVE-2025-27780: Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserial Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in model_information.py. `model_name` in model_information.py takes user-supplied input (e.g. a path to a model) and pass that value to the `run_model_information_script` and later to `model_information` function, which loads that model with
nvd
CVE-2025-27781P2CRITICALCVSS 9.8≤ 3.2.8-bugfix2025-03-19
CVE-2025-27781 [CRITICAL] CWE-502 CVE-2025-27781: Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserial Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference.py. `model_file` in inference.py as well as `model_file` in tts.py take user-supplied input (e.g. a path to a model) and pass that value to the `change_choices` and later to `get_speakers_id` function, which loads that model wit
nvd
CVE-2025-27786P3CRITICALCVSS 9.1≤ 3.2.8-bugfix2025-03-19
CVE-2025-27786 [CRITICAL] CWE-22 CVE-2025-27786: Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file removal in core.py. `output_tts_path` in tts.py takes arbitrary user input and passes it to `run_tts_script` function in core.py, which checks if the path in `output_tts_path` exists, and if yes, removes that path, which leads to arbitrary file remova
nvd
CVE-2025-27784P3HIGHCVSS 7.5≤ 3.2.8-bugfix2025-03-19
CVE-2025-27784 [HIGH] CWE-200 CVE-2025-27784: Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file read in train.py's `export_pth` function. This issue may lead to reading arbitrary files on the Applio server. It can also be used in conjunction with blind server-side request forgery to read files from servers on the internal network that the Applio se
nvd
CVE-2025-27785P3HIGHCVSS 7.5≤ 3.2.8-bugfix2025-03-19
CVE-2025-27785 [HIGH] CWE-22 CVE-2025-27785: Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file read in train.py's `export_index` function. This issue may lead to reading arbitrary files on the Applio server. It can also be used in conjunction with blind server-side request forgery to read files from servers on the internal network that the Applio s
nvd
CVE-2025-27777P3HIGHCVSS 7.5≤ 3.2.72025-03-19
CVE-2025-27777 [HIGH] CWE-918 CVE-2025-27777: Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request fo Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery (SSRF) in `model_download.py` (line 195 in 3.2.7). The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for other vulnerabilities on the server itself or on other back-end systems on the internal netw
nvd
CVE-2025-27787P3HIGHCVSS 7.5≤ 3.2.8-bugfix2025-03-19
CVE-2025-27787 [HIGH] CWE-22 CVE-2025-27787: Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to denial of servi Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to denial of service (DoS) in restart.py. `model_name` in train.py takes user input, and passes it to the `stop_train` function in restart.py, which uses it construct a path to a folder with `config.json`. That `config.json` is opened and the list of values under "process
nvd
CVE-2025-27776P3MEDIUMCVSS 5.3≤ 3.2.72025-03-19
CVE-2025-27776 [MEDIUM] CWE-918 CVE-2025-27776: Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request fo Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery (SSRF) and file write in `model_download.py` (line 240 in 3.2.7). The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for other vulnerabilities on the server itself or on other back-end systems on
nvd
CVE-2025-27774P3MEDIUMCVSS 5.3≤ 3.2.72025-03-19
CVE-2025-27774 [MEDIUM] CWE-918 CVE-2025-27774: Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request fo Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery (SSRF) and file write in `model_download.py` (line 156 in 3.2.7). The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for other vulnerabilities on the server itself or on other back-end systems on
nvd
CVE-2025-27775P3MEDIUMCVSS 5.3≤ 3.2.72025-03-19
CVE-2025-27775 [MEDIUM] CWE-918 CVE-2025-27775: Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request fo Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery (SSRF) and file write in `model_download.py` (line 143 in 3.2.7). The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for other vulnerabilities on the server itself or on other back-end systems on
nvd
Iahispano Applio vulnerabilities | cvebase