CVE-2026-8756 Unknown Vendor CVE debrief

Who should care

Administrators, developers, and operators running fishaudio Bert-VITS2 deployments with the Gradio Interface exposed or accessible remotely, especially where user-controlled data_dir values are accepted or forwarded into file-handling logic.

Technical summary

The vulnerability is a CWE-22 path traversal weakness in generate_config within webui_preprocess.py. According to the source description, remote manipulation of the data_dir argument can influence filesystem path handling and may allow access to locations outside the intended directory scope. NVD metadata marks the issue as remotely exploitable with low attack complexity and low impacts to confidentiality, integrity, and availability. The public source references point to VulDB and a public gist associated with the disclosure.

Defensive priority

Medium. This is not marked as KEV, but the combination of remote reachability, public disclosure, and filesystem traversal warrants prompt review and remediation in any exposed deployment.

Recommended defensive actions

• Review all code paths that pass data_dir into generate_config and add strict validation, canonicalization, and allowlisting of intended directories.
• Reject absolute paths, path segments containing traversal sequences, and symlink-based escapes before any filesystem access is performed.
• Run the application with least privilege and restrict filesystem permissions so traversal cannot reach sensitive files or directories.
• If a vendor or upstream fix becomes available, update to the corrected commit or release as soon as possible and verify the mitigation in a staging environment first.
• Limit exposure of the Gradio Interface to trusted users or internal networks until the issue is remediated.
• Monitor for unexpected file reads, writes, or configuration generation outside expected directories.
• Because the product does not use versioning, document the exact deployed commit hash and compare it to the affected upper bound noted in the disclosure.

Evidence notes

This debrief is based on the supplied NVD CVE record and its referenced source links. The CVE description states that fishaudio Bert-VITS2 up to commit 8f7fbd8c4770965225d258db548da27dc8dd934c is affected, that the vulnerable code is generate_config in webui_preprocess.py, that manipulation of data_dir leads to path traversal, and that the attack can be launched remotely. The description also states the exploit was publicly disclosed and the vendor was contacted early without response. NVD metadata lists CWE-22 and the CVSS vector indicating network-based, no-privilege, no-user-interaction exposure.

Official resources