Vulnerability Description
Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI dialog to handle the file path, the API does not validate the filename string before it is processed by the backends filesystem logic. Because the API is unauthenticated and the CORS configuration in app.py is overly permissive (allow_origins=["*"] or allowing localhost), an external attacker can bypass the UI entirely. By using directory traversal sequences (../), an attacker can force the app to write arbitrary data to any location accessible by the current user's permissions. This vulnerability is fixed in 4.4.2.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wanderingastronomer | Vociferous | < 4.4.2 |
Related Weaknesses (CWE)
References
- https://github.com/WanderingAstronomer/Vociferous/security/advisories/GHSA-7cpr-ExploitVendor Advisory
FAQ
What is CVE-2026-27897?
CVE-2026-27897 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application accepts...
How severe is CVE-2026-27897?
CVE-2026-27897 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-27897?
Check the references section above for vendor advisories and patch information. Affected products include: Wanderingastronomer Vociferous.