CVE-2026-27897
Received Received - Intake
Directory Traversal in Vociferous API Allows Arbitrary File Write

Publication date: 2026-03-11

Last updated on: 2026-03-20

Assigner: GitHub, Inc.

Description
Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI dialog to handle the file path, the API does not validate the filename string before it is processed by the backends filesystem logic. Because the API is unauthenticated and the CORS configuration in app.py is overly permissive (allow_origins=["*"] or allowing localhost), an external attacker can bypass the UI entirely. By using directory traversal sequences (../), an attacker can force the app to write arbitrary data to any location accessible by the current user's permissions. This vulnerability is fixed in 4.4.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27897
EUVD
EUVD-2026-11194
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wanderingastronomer vociferous to 4.4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27897 is a critical unauthenticated remote path traversal vulnerability in the Vociferous application versions prior to 4.4.2. The flaw exists in the export_file route where the application accepts a JSON payload containing a filename and content. The API does not validate the filename string before processing it with backend filesystem logic.'}, {'type': 'paragraph', 'content': 'Because the API is unauthenticated and has an overly permissive CORS configuration, an attacker can bypass the intended native UI dialog and supply directory traversal sequences (e.g., "../") in the filename. This allows the attacker to write arbitrary data to any location accessible by the current user\'s permissions on the host system.'}, {'type': 'paragraph', 'content': 'This vulnerability can be exploited remotely without any user interaction or privileges, potentially leading to remote code execution and full system compromise.'}] [1]

Impact Analysis

This vulnerability can have severe impacts including unauthorized writing of arbitrary files anywhere the current user has access. An attacker can overwrite critical files such as authorized_keys, drop malware, or delete important files.

On shared servers, this can lead to cross-user impact and full system compromise, allowing attackers to execute remote code and gain control over the affected system.

The vulnerability requires no privileges and no user interaction, making it highly exploitable and dangerous.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized POST requests to the export_file API endpoint, specifically to the URL path /api/export on the Vociferous service (default port 18900). Look for JSON payloads containing filenames with directory traversal sequences such as "../".'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and inspect HTTP traffic to identify suspicious requests that attempt to write files outside the intended directory.'}, {'type': 'paragraph', 'content': 'Example command using curl to test if the vulnerable endpoint is accessible and accepts directory traversal in the filename:'}, {'type': 'list_item', 'content': 'curl -X POST http://localhost:18900/api/export -H "Content-Type: application/json" -d \'{"filename": "../test.txt", "content": "test"}\''}, {'type': 'paragraph', 'content': 'Additionally, network monitoring tools or intrusion detection systems (IDS) can be configured to alert on POST requests with suspicious JSON payloads containing directory traversal patterns targeting the /api/export route.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Upgrade Vociferous to version 4.4.2 or later, where this vulnerability is fixed.'}, {'type': 'list_item', 'content': 'Implement input sanitization by ensuring the filename parameter is sanitized, for example by using os.path.basename() to strip directory traversal sequences.'}, {'type': 'list_item', 'content': 'Enforce mandatory API authentication such as Bearer Tokens or API Keys to prevent unauthorized access and Cross-Site Request Forgery (CSRF).'}, {'type': 'list_item', 'content': 'Restrict CORS policy to allow only trusted origins instead of using wildcards like "*" or allowing localhost.'}, {'type': 'list_item', 'content': 'Implement path anchoring and validation by resolving absolute paths and ensuring file writes occur only within a designated export directory.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27897. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart