cve/2025/CVE-2025-27786.md

CVE-2025-27786

Description

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file removal in core.py. output_tts_path in tts.py takes arbitrary user input and passes it to run_tts_script function in core.py, which checks if the path in output_tts_path exists, and if yes, removes that path, which leads to arbitrary file removal. As of time of publication, no known patches are available.

POC

Reference

No PoCs from references.

Github

• https://github.com/fkie-cad/nvd-json-data-feeds