CVE-2026-8756 - Vulnerability Details

- fishaudio Bert-VITS2 Gradio webui_preprocess.py generate_config path traversal

Description

A vulnerability has been found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c. The impacted element is the function generate_config of the file webui_preprocess.py of the component Gradio Interface. Such manipulation of the argument data_dir leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-17

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the generate_config function of fishaudio Bert-VITS2’s Gradio webui_preprocess.py. An attacker can manipulate the data_dir argument to perform a path traversal, as identified by CWE-22. The description indicates that the attack can be launched remotely. At the time of disclosure the product did not publish specific version numbers, but the description indicates all releases before commit 8f7fbd8c4770965225d258db548da27dc8dd934c are impacted.

Affected Systems

All installations of fishaudio Bert-VITS2 that incorporate the Gradio Interface component and have not been updated to a commit containing the fix (identified as 8f7fbd8c4770965225d258db548da27dc8dd934c). The vendor does not provide an official release list, and no versioning information is available.

Risk and Exploitability

With a CVSS base score of 6.9 the vulnerability is considered moderate. The EPSS score is not available, and it is not listed in the CISA KEV catalog. The public disclosure and the statement that the attack can be launched remotely indicate that the risk remains significant, although the description does not specify the exact capabilities an attacker could derive. Therefore, the analysis refrains from claiming arbitrary file read/write or other specific impacts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

fishaudio

Bert-VITS2

affected

Version	Status	Constraints
`8f7fbd8c4770965225d258db548da27dc8dd934c`	affected	—

No data.

Vendor Product Confidence Versions

Fishaudio

Bert-vits2

95%

Version	Status	Scheme	Platform
`8f7fbd8c4770965225d258db548da27dc8dd934c`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Restrict the data_dir parameter to a predefined whitelist of safe directories and reject any other values.
Implement server‑side path normalization and character filtering to prevent directory escaping before using the value.
Apply the security fix corresponding to commit 8f7fbd8c4770965225d258db548da27dc8dd934c as soon as an official release becomes available.

Generated by OpenCVE AI on May 17, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/YLChen-007/550cb92f3489c317ff049fc7d7ea6b99
https://vuldb.com/submit/811175
https://vuldb.com/vuln/364383
https://vuldb.com/vuln/364383/cti

History

Sun, 17 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c. The impacted element is the function generate_config of the file webui_preprocess.py of the component Gradio Interface. Such manipulation of the argument data_dir leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Title		fishaudio Bert-VITS2 Gradio webui_preprocess.py generate_config path traversal
First Time appeared		Fishaudio Fishaudio bert-vits2
Weaknesses		CWE-22
CPEs		cpe:2.3:a:fishaudio:bert-vits2::::::::
Vendors & Products		Fishaudio Fishaudio bert-vits2
References		https://gist.github.com/YLChen-007/550cb92f3489c317ff049fc7d7ea6b99 https://vuldb.com/submit/811175 https://vuldb.com/vuln/364383 https://vuldb.com/vuln/364383/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Fishaudio Bert-vits2

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-17T13:00:16.673Z

Updated: 2026-05-17T13:00:16.673Z

Reserved: 2026-05-16T17:36:57.785Z

Link: CVE-2026-8756

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-17T13:16:46.410

Modified: 2026-05-17T13:16:46.410

Link: CVE-2026-8756

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-17T15:15:04Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object