Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
Vociferous: Unvalidated File Path Allows Arbitrary File Overwriting
CVE-2026-27897
Summary
Vociferous's API allows an attacker to write files to any location on the system, potentially leading to data corruption or unauthorized access. This issue affects versions prior to 4.4.2. To mitigate the risk, update to version 4.4.2 or later, and ensure proper configuration of the API's CORS settings.
Original title
Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application acce...
Original description
Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI dialog to handle the file path, the API does not validate the filename string before it is processed by the backends filesystem logic. Because the API is unauthenticated and the CORS configuration in app.py is overly permissive (allow_origins=["*"] or allowing localhost), an external attacker can bypass the UI entirely. By using directory traversal sequences (../), an attacker can force the app to write arbitrary data to any location accessible by the current user's permissions. This vulnerability is fixed in 4.4.2.
nvd CVSS3.1
10.0
Vulnerability type
CWE-22
Path Traversal
CWE-306
Missing Authentication for Critical Function
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026