cbcvebase.

Rvc-Boss Gpt-Sovits vulnerabilities

9 known vulnerabilities affecting rvc-boss/gpt-sovits.

Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL9

Vulnerabilities

Page 1 of 1
CVE-2025-49833P2CRITICALCVSS 9.8≤ 20250228v32025-07-15
CVE-2025-49833 [CRITICAL] CWE-77 CVE-2025-49833: GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, t GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in the webui.py open_slice function. slice_opt_root and slice-inp-path takes user input, which is passed to the open_slice function, which concatenates the user input into a command and runs it on the server,
nvd
CVE-2025-49836P2CRITICALCVSS 9.8≤ 20250228v32025-07-15
CVE-2025-49836 [CRITICAL] CWE-77 CVE-2025-49836: GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, t GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py change_label function. path_list takes user input, which is passed to the change_label function, which concatenates the user input into a command and runs it on the server, leading to arbitrary co
nvd
CVE-2025-49834P2CRITICALCVSS 9.8≤ 20250228v32025-07-15
CVE-2025-49834 [CRITICAL] CWE-77 CVE-2025-49834: GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, t GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py open_denoise function. denoise_inp_dir and denoise_opt_dir take user input, which is passed to the open_denoise function, which concatenates the user input into a command and runs it on the server
nvd
CVE-2025-49835P2CRITICALCVSS 9.8≤ 20250228v32025-07-15
CVE-2025-49835 [CRITICAL] CWE-77 CVE-2025-49835: GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, t GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py open_asr function. asr_inp_dir (and a number of other variables) takes user input, which is passed to the open_asr function, which concatenates the user input into a command and runs it on the ser
nvd
CVE-2025-49841P3CRITICALCVSS 9.8≤ 20250228v32025-07-15
CVE-2025-49841 [CRITICAL] CWE-502 CVE-2025-49841: GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, t GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in process_ckpt.py. The SoVITS_dropdown variable takes user input and passes it to the load_sovits_new function in process_ckpt.py. In load_sovits_new, the user input, here sovits_path is used to load
nvd
CVE-2025-49840P3CRITICALCVSS 9.8≤ 20250228v32025-07-15
CVE-2025-49840 [CRITICAL] CWE-502 CVE-2025-49840: GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, t GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in inference_webui.py. The GPT_dropdown variable takes user input and passes it to the change_gpt_weights function. In change_gpt_weights, the user input, here gpt_path is used to load a model with tor
nvd
CVE-2025-49837P3CRITICALCVSS 9.8≤ 20250228v32025-07-15
CVE-2025-49837 [CRITICAL] CWE-502 CVE-2025-49837: GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, t GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in vr.py AudioPre. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function. In uvr, a new instance of AudioPre class is created with the model_path attribu
nvd
CVE-2025-49838P3CRITICALCVSS 9.8≤ 20250228v32025-07-15
CVE-2025-49838 [CRITICAL] CWE-502 CVE-2025-49838: GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, t GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in vr.py AudioPreDeEcho. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function. In uvr, a new instance of AudioPreDeEcho class is created with the model_
nvd
CVE-2025-49839P3CRITICALCVSS 9.8≤ 20250228v32025-07-15
CVE-2025-49839 [CRITICAL] CWE-502 CVE-2025-49839: GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, t GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in bsroformer.py. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function. In uvr, a new instance of Roformer_Loader class is created with the model_path a
nvd
Rvc-Boss Gpt-Sovits vulnerabilities | cvebase