CVE-2026-34981

Name of the Vulnerable Software and Affected Versions whisperX versions 0.3.1 through 0.5.0

Description The whisperX API, a tool for enhancing and analyzing audio content, has a flaw in the FileService.download from url() function within app/services/file service.py. This function uses requests.get(url) without proper URL validation. The file extension check is performed after the HTTP request, allowing bypass by appending '.mp3' to internal URLs. The /speech-to-text-url endpoint is accessible without authentication.

Recommendations Update to version 0.6.0 or later.