AI Sec Watch

The Terraform WinDNS Provider (a tool for managing Windows DNS servers through Terraform, an infrastructure automation tool) had a security flaw before version 1.0.5 where the `windns_record` resource didn't properly validate user input, allowing authenticated command injection (an attack where malicious commands are sneaked into legitimate input to execute unauthorized code in the underlying PowerShell command prompt). This vulnerability only affects users who already have authentication access to the system.

A vulnerability (CVE-2025-4287) was found in PyTorch 2.6.0+cu124 in a function that handles GPU communication, which can be exploited to cause a denial of service (making a system or service stop working) by someone with local access to the computer. The vulnerability has been publicly disclosed and rated as medium severity.

Retrieval-based-Voice-Conversion-WebUI (a framework for changing voices using AI) in version 2.2.231006 and earlier has a critical vulnerability where user input is passed unsafely to a function that loads model files using torch.load (a Python tool that can execute code from files). An attacker could exploit this by providing a malicious model file path, leading to RCE (remote code execution, where an attacker can run commands on the system).

Retrieval-based-Voice-Conversion-WebUI, a voice changing framework, has a vulnerability in versions 2.2.231006 and earlier where user input (like a file path) is passed directly to torch.load (a function that reads model files). This unsafe deserialization (loading untrusted data that could contain malicious code) allows attackers to execute arbitrary commands on the system running the software.

Retrieval-based-Voice-Conversion-WebUI is a voice changing tool that has a security flaw in versions 2.2.231006 and earlier. The vulnerability allows unsafe deserialization (loading untrusted data that could contain malicious code) when the program takes user input for a model file path and loads it using torch.load, which could let attackers run arbitrary code on the system.

Retrieval-based-Voice-Conversion-WebUI, a voice changing tool, has a vulnerability in versions 2.2.231006 and earlier where unsafe deserialization (loading data in a way that can execute malicious code) allows attackers to run code remotely. The problem occurs because the software takes user input for model file paths and loads them using torch.load without proper safety checks, enabling RCE (remote code execution, where attackers can run commands on the affected system).

Retrieval-based-Voice-Conversion-WebUI, a voice-changing tool, has a vulnerability in versions 2.2.231006 and earlier where user input for model file paths is passed unsafely to torch.load (a function that loads saved AI models). This unsafe deserialization (loading data from untrusted sources without checking it first) can allow attackers to run arbitrary code on the system.

Retrieval-based-Voice-Conversion-WebUI, a voice-changing framework, has a critical vulnerability in versions 2.2.231006 and earlier where unsafe deserialization (loading data from untrusted sources without checking it first) can occur. An attacker can exploit this by providing a malicious file path that gets loaded using torch.load, which can lead to RCE (remote code execution, where an attacker runs commands on a system they don't own).

Retrieval-based-Voice-Conversion-WebUI, a voice changing tool based on VITS (a voice synthesis model), has a vulnerability in versions 2.2.231006 and earlier where user-supplied file paths are loaded directly using torch.load (a function that can execute code when loading files), allowing attackers to run arbitrary code on the system. This happens because the ckpt_path1 variable accepts untrusted input and passes it unsafely to a model-loading function.