CVE-2025-27781: Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference
criticalvulnerability
security
Summary
Applio, a voice conversion tool, has a vulnerability in versions 3.2.8-bugfix and earlier where it unsafely deserializes (converts untrusted data back into code objects) user-supplied model file paths using torch.load, which can allow attackers to run arbitrary code on the system. The vulnerability exists in the inference.py and tts.py files, where user input is passed directly to functions that load models without proper validation.
Solution / Mitigation
A patch is available on the `main` branch of the repository.
Vulnerability Details
CVSS Score
9.8(critical)
EPSS (30-day exploit probability)
EPSS: 5.1%
Classification
Attack Type
Model Theft
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-27781
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 95%