CVE-2026-27897
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI dialog to handle the file path, the API does not validate the filename string before it is processed by the backends filesystem logic. Because the API is unauthenticated and the CORS configuration in app.py is overly permissive (allow_origins=["*"] or allowing localhost), an external attacker can bypass the UI entirely. By using directory traversal sequences (../), an attacker can force the app to write arbitrary data to any location accessible by the current user's permissions. This vulnerability is fixed in 4.4.2.
Analysis
Path traversal in Vociferous speech-to-text tool before 4.4.2. CVSS 10.0.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Disable the export_file API endpoint or restrict network access to it; inventory all systems running Vociferous versions prior to 4.4.2. Within 7 days: Isolate affected systems from production networks or implement strict API input validation through WAF rules; contact Vociferous vendor for patch ETA and interim mitigations. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today