CVE-2026-27897

Name of the Vulnerable Software and Affected Versions Vociferous versions prior to 4.4.2

Description Vociferous is a cross-platform, offline speech-to-text application with local AI refinement. A flaw exists in the src/api/system.py file within the /export file API endpoint. The application accepts a JSON payload containing a filename and content, but does not validate the filename string before processing it with the backend filesystem logic. The API is unauthenticated and the CORS configuration allows requests from any origin. This allows an attacker to bypass the user interface and use directory traversal sequences (e.g., '../') to write arbitrary data to any location accessible by the current user's permissions. The vulnerable component is the /export file API endpoint, which accepts a filename variable in the JSON payload.

Recommendations Update Vociferous to version 4.4.2 or later.