CVE-2026-27897

CRITICAL

10.0

Descricao

Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI dialog to handle the file path, the API does not validate the filename string before it is processed by the backends filesystem logic. Because the API is unauthenticated and the CORS configuration in app.py is overly permissive (allow_origins=["*"] or allowing localhost), an external attacker can bypass the UI entirely. By using directory traversal sequences (../), an attacker can force the app to write arbitrary data to any location accessible by the current user's permissions. This vulnerability is fixed in 4.4.2.

Detalhes CVE

Pontuacao CVSS v3.110.0

SeveridadeCRITICAL

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado3/11/2026

Ultima modificacao3/20/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

wanderingastronomer:vociferous

Fraquezas (CWE)

CWE-22CWE-306

Referencias

https://github.com/WanderingAstronomer/Vociferous/security/advisories/GHSA-7cpr-frgj-h85v(security-advisories@github.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.