VYPR

Cosyvoice

by FunAudioLLM

Source repositories

CVEs (5)

  • CVE-2026-31232HigMay 12, 2026
    risk 0.50cvss 8.8epss 0.00

    The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the…

  • CVE-2026-31251HigMay 11, 2026
    risk 0.40cvss 7.3epss 0.00

    CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load()…

  • CVE-2026-31250HigMay 11, 2026
    risk 0.40cvss 7.3epss 0.00

    CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. The script loads PyTorch checkpoint files (epoch_*.pt) for model averaging using torch.load()…

  • CVE-2026-31249HigMay 11, 2026
    risk 0.40cvss 7.3epss 0.00

    CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. The script loads PyTorch .pt files (utterance embeddings, speaker embeddings, speech tokens)…

  • CVE-2026-31252MedMay 11, 2026
    risk 0.30cvss 5.7epss 0.00

    CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling…