cvedb.io
CVE-2025-43843
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2025-05-05T17:18:49.440 · Last modified 2026-06-17T09:24:37.723

Summary

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7 and f0method8 take user input and pass it into the extract_f0_feature function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.

Affected products

rvc-project — retrieval-based-voice-conversion-webui

Does this affect you?

Add your gear to cvedb and we'll alert you only when rvc-project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.