Path Traversal Vulnerability in F5-TTS by SWivid
CVE-2026-43624

8.8HIGH

Key Information:

Vendor: Swivid
Status: F5-tts
Vendor: CVE Published:; 1 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-43624?

F5-TTS versions up to 1.1.20 are susceptible to a path traversal vulnerability within the finetune Gradio handlers. This flaw permits unauthenticated attackers to write arbitrary files by manipulating unsanitized user input for project names, which are directly passed to the os.path.join() function. As a result, attackers can exploit this vulnerability by providing absolute path arguments, allowing them to bypass the base directory restrictions. This malicious action enables them to create directories and write JSON content at any writable filesystem path under the control of the server process.

Affected Version(s)

F5-TTS 0 <= 1.1.20

F5-TTS 2f53ded68e5f69e248ceb200a51ef4d1dc647936

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-43624 - Proof of Concept

References

https://github.com/SWivid/F5-TTS/issues/1293

technical-descriptionexploit

https://github.com/SWivid/F5-TTS/pull/1294

issue-tracking

https://github.com/SWivid/F5-TTS/commit/2f53ded68e5f69e24...

patch

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 1, 2026
👾
Exploit known to exist
Jun 1, 2026
Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 1, 2026

Credit

YU SUN

CVE-2026-43624 Data

JSON

Swivid

Badges

What is CVE-2026-43624?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit