CVE-2026-27897
CRITICAL
CVSS 10.0
No EPSS data
Description
Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI dialog to handle the file path, the API does not validate the filename string before it is processed by the backends filesystem logic. Because the API is unauthenticated and the CORS configuration in app.py is overly permissive (allow_origins=["*"] or allowing localhost), an external attacker can bypass the UI entirely. By using directory traversal sequences (../), an attacker can force the app to write arbitrary data to any location accessible by the current user's permissions. This vulnerability is fixed in 4.4.2.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-27897",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"cvssData": {
"scope": "CHANGED",
"version": "3.1",
"baseScore": 10,
"attackVector": "NETWORK",
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "NONE",
"confidentialityImpact": "HIGH"
},
"impactScore": 6,
"exploitabilityScore": 3.9
},
{
"type": "Primary",
"source": "nvd@nist.gov",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 7.1,
"attackVector": "LOCAL",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "REQUIRED",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "NONE",
"confidentialityImpact": "NONE"
},
"impactScore": 5.2,
"exploitabilityScore": 1.8
}
]
},
"published": "2026-03-11T16:16:40.133",
"references": [
{
"url": "https://github.com/WanderingAstronomer/Vociferous/security/advisories/GHSA-7cpr-frgj-h85v",
"tags": [
"Exploit",
"Vendor Advisory"
],
"source": "security-advisories@github.com"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Primary",
"source": "security-advisories@github.com",
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-306"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI dialog to handle the file path, the API does not validate the filename string before it is processed by the backends filesystem logic. Because the API is unauthenticated and the CORS configuration in app.py is overly permissive (allow_origins=[\"*\"] or allowing localhost), an external attacker can bypass the UI entirely. By using directory traversal sequences (../), an attacker can force the app to write arbitrary data to any location accessible by the current user's permissions. This vulnerability is fixed in 4.4.2."
},
{
"lang": "es",
"value": "Vociferous proporciona conversi\u00f3n de voz a texto multiplataforma y sin conexi\u00f3n con refinamiento de IA local. Antes de la versi\u00f3n 4.4.2, la vulnerabilidad existe en src/api/system.py dentro de la ruta export_file. La aplicaci\u00f3n acepta una carga \u00fatil JSON que contiene un nombre de archivo y contenido. Si bien el desarrollador pretend\u00eda que un di\u00e1logo de interfaz de usuario nativo manejara la ruta del archivo, la API no valida la cadena del nombre de archivo antes de que sea procesada por la l\u00f3gica del sistema de archivos del backend. Debido a que la API no est\u00e1 autenticada y la configuraci\u00f3n CORS en app.py es excesivamente permisiva (allow_origins=['*'] o permitiendo localhost), un atacante externo puede omitir la interfaz de usuario por completo. Al usar secuencias de salto de directorio (../), un atacante puede forzar a la aplicaci\u00f3n a escribir datos arbitrarios en cualquier ubicaci\u00f3n accesible por los permisos del usuario actual. Esta vulnerabilidad se corrige en la versi\u00f3n 4.4.2."
}
],
"lastModified": "2026-03-20T14:27:12.263",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wanderingastronomer:vociferous:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DF35DC01-126A-4945-A4F9-462D79BC1FD4",
"versionEndExcluding": "4.4.2"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security-advisories@github.com"
}
}