cvedb.io
CVE-2025-43844
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2025-05-05T18:15:42.180 · Last modified 2026-06-17T09:24:37.847

Summary

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, among others, take user input and pass it to the click_train function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.

Affected products

rvc-project — retrieval-based-voice-conversion-webui

Does this affect you?

Add your gear to cvedb and we'll alert you only when rvc-project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.