CRITICAL🇵🇱 Wersja polska

CVE-2026-27897

CVSS 10.0v3.1pub. 2026-03-11upd. 2026-03-20

Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI dialog to handle the file path, the API does not validate the filename string before it is processed by the backends filesystem logic. Because the API is unauthenticated and the CORS configuration in app.py is overly permissive (allow_origins=["*"] or allowing localhost), an external attacker can bypass the UI entirely. By using directory traversal sequences (../), an attacker can force the app to write arbitrary data to any location accessible by the current user's permissions. This vulnerability is fixed in 4.4.2.

🤖 AI Analysis
How it works

The vulnerability is located in the src/api/system.py file, in the export_file route, which accepts a JSON payload containing a file name and its content. The application does not verify the provided file name before passing it to the file system logic. Since the endpoint does not require authentication, and the CORS configuration in app.py is overly permissive (allow_origins=["*"] or localhost), an attacker can bypass the user interface and directly invoke the API. Using path traversal sequences (../), an attacker can force the application to write arbitrary data to any location accessible to the current user's permissions.

Impact

An attacker can write arbitrary content to any location in the file system accessible to the application process, which may lead to overwriting critical system or configuration files, injection of malicious code, and takeover of system control.

Mitigation & patch

Vociferous should be updated to version 4.4.2, in which the vulnerability has been patched. Additionally, it is recommended to restrict network access to the application API and to verify CORS configuration.

Who is affected

Vociferous in versions prior to 4.4.2 (vendor: WanderingAstronomer)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Wanderingastronomer Vociferous

    APP
    Wanderingastronomer
    < 4.4.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References