CVE-2026-43624: F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauth
highvulnerabilityLLM-Specific
security
Summary
F5-TTS (a text-to-speech software) through version 1.1.20 has a path traversal vulnerability (a flaw where attackers can access files outside the intended directory) in its finetune Gradio handlers (components that process fine-tuning requests). Unauthenticated attackers can exploit this by providing malicious project names that aren't checked, allowing them to write arbitrary files anywhere on the server's filesystem.
Vulnerability Details
CVSS Score
8.2(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Attack Vector
network
Attack Complexity
low
Privileges Required
none
User Interaction
none
Disclosure Date
June 1, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
integrityavailability
Taxonomy References
Affected Vendors
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-43624
First tracked: June 2, 2026 at 02:08 AM
Classified by LLM (prompt v3) · confidence: 92%