CVE-2025-27786

Name of the Vulnerable Software and Affected Versions Applio versions 3.2.8-bugfix and prior

Description The issue concerns arbitrary file removal in the core.py component. The output tts path variable in tts.py accepts arbitrary user input, which is then passed to the run tts script function in core.py. This function checks if the path specified in output tts path exists and, if it does, proceeds to remove that path, resulting in arbitrary file removal. There are no known patches available as of the time of publication.

Recommendations For versions 3.2.8-bugfix and prior, consider disabling the run tts script function in core.py as a temporary workaround until a patch is available. Restrict access to the output tts path variable in tts.py to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.