{"id":"CVE-2026-43624","summary":"F5-TTS 1.1.20 Path Traversal via finetune_gradio.py create_data_project()","details":"F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files by passing unsanitized user-supplied project names directly to os.path.join() without validating the resulting path stays within the intended base directory. Attackers can supply absolute path arguments such as /tmp/EVIL to override the base directory entirely and create arbitrary directories with attacker-controlled JSON content at any filesystem path writable by the server process.","modified":"2026-07-16T03:30:48.095873916Z","published":"2026-06-01T18:16:10.130Z","database_specific":{"cna_assigner":"VulnCheck","cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43624.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43624.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43624"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/f5-tts-path-traversal-via-finetune-gradio-py-create-data-project"},{"type":"REPORT","url":"https://github.com/SWivid/F5-TTS/issues/1293"},{"type":"REPORT","url":"https://github.com/SWivid/F5-TTS/pull/1294"},{"type":"FIX","url":"https://github.com/SWivid/F5-TTS/commit/2f53ded68e5f69e248ceb200a51ef4d1dc647936"},{"type":"PACKAGE","url":"https://github.com/SWivid/F5-TTS"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/swivid/f5-tts","events":[{"introduced":"0"},{"fixed":"6f910225197d36374ecb389166481432d739973d"},{"fixed":"2f53ded68e5f69e248ceb200a51ef4d1dc647936"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"F5-TTS"},{"fixed":"1.1.20"}]}}],"versions":["1.1.20","1.1.19","1.1.18","1.1.17","1.1.16","1.1.15","1.1.12","1.1.10","1.1.9","1.1.8","1.1.7","1.1.6","1.1.5","1.1.4","1.1.3","1.1.0","1.0.8","1.0.3","1.0.0","0.6.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43624.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"}]}