CVE-2026-27897

CRITICAL 10.0

Vociferous Unauthenticated Remote Path Traversal (RCE via CSRF)

CVSS Score

10.0

EPSS Score

0.0%

EPSS Percentile

0th

Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI dialog to handle the file path, the API does not validate the filename string before it is processed by the backends filesystem logic. Because the API is unauthenticated and the CORS configuration in app.py is overly permissive (allow_origins=["*"] or allowing localhost), an external attacker can bypass the UI entirely. By using directory traversal sequences (../), an attacker can force the app to write arbitrary data to any location accessible by the current user's permissions. This vulnerability is fixed in 4.4.2.

CWE	CWE-22 CWE-306
Vendor	wanderingastronomer
Product	vociferous
Published	Mar 11, 2026
Last Updated	Mar 11, 2026

Stay Ahead of the Next One

Get instant alerts for wanderingastronomer vociferous

Be the first to know when new critical vulnerabilities affecting wanderingastronomer vociferous are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

WanderingAstronomer / Vociferous

< 4.4.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/WanderingAstronomer/Vociferous/security/advisories/GHSA-7cpr-frgj-h85v