CVE-2025-27774

Name of the Vulnerable Software and Affected Versions Applio versions 3.2.7 and prior

Description Applio is a voice conversion tool. It is susceptible to server-side request forgery (SSRF) and file write vulnerabilities in model download.py (line 156 in version 3.2.7). The blind SSRF allows sending requests on behalf of the Applio server, potentially enabling the discovery of other vulnerabilities on the server or back-end systems within the internal network accessible to Applio. This SSRF can be combined with arbitrary file read capabilities to read files from hosts on the internal network, resulting in a full SSRF. The file write vulnerability allows writing files on the server, which, in conjunction with other vulnerabilities like unsafe deserialization, could lead to remote code execution on the Applio server.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.