CVE-2025-27776

Name of the Vulnerable Software and Affected Versions Applio versions 3.2.7 and prior

Description Applio is a voice conversion tool that is vulnerable to server-side request forgery (SSRF) and file write in model download.py. The blind SSRF allows for sending requests on behalf of the Applio server and can be leveraged to probe for other vulnerabilities on the server itself or on other back-end systems on the internal network. The file write allows for writing files on the server, which can be coupled with other vulnerabilities to achieve remote code execution on the Applio server.

Recommendations For versions 3.2.7 and prior, consider disabling the model download.py script until a patch is available to prevent exploitation of the SSRF and file write vulnerabilities. Restrict access to the vulnerable model download.py file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.