216.73.217.98

CVE-2025-49835

· Published 15/07/2025 21:15 · Modified 16/07/2025 14:58

Labels: CVE-2025-49835 2025-07-15CVE-2025-49835CWE-77[email protected]

Essential information

Published
15/07/2025 21:15
Modified
16/07/2025 14:58
Author
Creator
CVSS
8.9 HIGH (v3) 8.9 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py open_asr function. asr_inp_dir (and a number of other variables) takes user input, which is passed to the open_asr function, which concatenates the user input into a command and runs it on the server, leading to arbitrary command execution. At time of publication, no known patched versions are available.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
gpt-sovits / webui cpe:2.3:a:gpt-sovits:webui:20250228v3:*:*:*:*:*:*:*
gpt-sovits / webui cpe:2.3:a:gpt-sovits:webui:*:*:*:*:*:*:*:*

References