Cfarley05

**Name of the Vulnerable Software and Affected Versions** Vociferous versions prior to 4.4.2 **Description** Vociferous is a cross-platform, offline speech-to-text application with local AI refinement. A flaw exists in the `src/api/system.py` file within the `/export file` API endpoint. The application accepts a JSON payload containing a filename and content, but does not validate the filename string before processing it with the backend filesystem logic. The API is unauthenticated and the CORS configuration allows requests from any origin. This allows an attacker to bypass the user interface and use directory traversal sequences (e.g., '../') to write arbitrary data to any location accessible by the current user's permissions. The vulnerable component is the `/export file` API endpoint, which accepts a `filename` variable in the JSON payload. **Recommendations** Update Vociferous to version 4.4.2 or later.