VYPR
Vendor

Applio

Products
1
CVEs
13
Across products
13
Status
Private

Products

1

Recent CVEs

13
  • CVE-2025-27783CriMar 19, 2025
    risk 0.64cvss 9.8epss 0.01

    Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file write in train.py. This issue may lead to writing arbitrary files on the Applio server. It can also be used in conjunction with an unsafe deserialization to achieve remote code…

  • CVE-2025-27782CriMar 19, 2025
    risk 0.64cvss 9.8epss 0.01

    Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file write in inference.py. This issue may lead to writing arbitrary files on the Applio server. It can also be used in conjunction with an unsafe deserialization to achieve remote…

  • CVE-2025-27786CriMar 19, 2025
    risk 0.59cvss 9.1epss 0.01

    Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file removal in core.py. `output_tts_path` in tts.py takes arbitrary user input and passes it to `run_tts_script` function in core.py, which checks if the path in `output_tts_path`…

  • CVE-2025-27787HigMar 19, 2025
    risk 0.49cvss 7.5epss 0.01

    Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to denial of service (DoS) in restart.py. `model_name` in train.py takes user input, and passes it to the `stop_train` function in restart.py, which uses it construct a path to a folder with…

  • CVE-2025-27785HigMar 19, 2025
    risk 0.49cvss 7.5epss 0.01

    Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file read in train.py's `export_index` function. This issue may lead to reading arbitrary files on the Applio server. It can also be used in conjunction with blind server-side request…

  • CVE-2025-27784HigMar 19, 2025
    risk 0.49cvss 7.5epss 0.01

    Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file read in train.py's `export_pth` function. This issue may lead to reading arbitrary files on the Applio server. It can also be used in conjunction with blind server-side request…

  • CVE-2025-27777HigMar 19, 2025
    risk 0.49cvss 7.5epss 0.00

    Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery (SSRF) in `model_download.py` (line 195 in 3.2.7). The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for other…

  • CVE-2025-27776MedMar 19, 2025
    risk 0.34cvss 5.3epss 0.01

    Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery (SSRF) and file write in `model_download.py` (line 240 in 3.2.7). The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for…

  • CVE-2025-27775MedMar 19, 2025
    risk 0.34cvss 5.3epss 0.01

    Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery (SSRF) and file write in `model_download.py` (line 143 in 3.2.7). The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for…

  • CVE-2025-27774MedMar 19, 2025
    risk 0.34cvss 5.3epss 0.01

    Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery (SSRF) and file write in `model_download.py` (line 156 in 3.2.7). The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for…

  • CVE-2025-27781CriMar 19, 2025
    risk 0.00cvss 9.8epss 0.01

    Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference.py. `model_file` in inference.py as well as `model_file` in tts.py take user-supplied input (e.g. a path to a model) and pass that value to the…

  • CVE-2025-27779CriMar 19, 2025
    risk 0.00cvss 9.8epss 0.01

    Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in `model_blender.py` lines 20 and 21. `model_fusion_a` and `model_fusion_b` from voice_blender.py take user-supplied input (e.g. a path to a model) and pass that value to…

  • CVE-2025-27778CriMar 19, 2025
    risk 0.00cvss 9.8epss 0.01

    Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in `infer.py`. The issue can lead to remote code execution. As of time of publication, a fix is available on the `main` branch of the Applio repository but not attached to…