CVE-2026-27897

CRITICAL

Vociferous < 4.4.2 - Unauthenticated Path Traversal and Arbitrary File Write via Export File Route

Title source: llm

Description

Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI dialog to handle the file path, the API does not validate the filename string before it is processed by the backends filesystem logic. Because the API is unauthenticated and the CORS configuration in app.py is overly permissive (allow_origins=["*"] or allowing localhost), an external attacker can bypass the UI entirely. By using directory traversal sequences (../), an attacker can force the app to write arbitrary data to any location accessible by the current user's permissions. This vulnerability is fixed in 4.4.2.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/WanderingAstronomer/Vociferous/security/advisories/GHSA-7cpr-frgj-h85v

Scores

CVSS v3 10.0

EPSS 0.0064

EPSS Percentile 45.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-306 CWE-22

Status published

Products (1)

wanderingastronomer/vociferous < 4.4.2

Published Mar 11, 2026

Tracked Since Mar 11, 2026