The vulnerability CVE-2026-27897 affects WanderingAstronomer's Vociferous speech-to-text software in versions prior to 4.4.2. The issue lies in the export_file route implemented in src/api/system.py, which processes a JSON payload containing a filename and content to write files locally. The developer intended for file paths to be controlled via a native UI dialog, but the API itself does not validate or sanitize the filename parameter. This lack of validation allows an attacker to include directory traversal sequences (e.g., '../') in the filename, enabling arbitrary file writes outside the intended directory. Compounding the risk, the API is unauthenticated, and the CORS policy in app.py is overly permissive, allowing any origin or localhost, which enables remote attackers to bypass the UI and invoke the vulnerable API directly. Successful exploitation can lead to arbitrary file creation or modification with the privileges of the user running the application, potentially allowing attackers to overwrite critical system or application files, inject malicious code, or disrupt service availability. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-306 (Missing Authentication for Critical Function). The CVSS v3.1 base score is 10.0, reflecting network attack vector, no required privileges or user interaction, and complete compromise of confidentiality, integrity, and availability. The issue was publicly disclosed on March 11, 2026, and fixed in Vociferous version 4.4.2.

This vulnerability poses a severe risk to organizations using Vociferous versions prior to 4.4.2. Exploitation allows remote, unauthenticated attackers to write arbitrary files anywhere on the filesystem accessible to the application user. This can lead to complete system compromise, including data theft, unauthorized code execution, persistent backdoors, and denial of service by overwriting critical files. Because the API is exposed with permissive CORS settings, attackers can exploit this from remote web origins, increasing the attack surface. Organizations relying on Vociferous for speech-to-text processing, especially in sensitive environments, face risks of intellectual property theft, operational disruption, and potential lateral movement within networks if the compromised host is part of a larger infrastructure. The critical severity and ease of exploitation make this a high-priority issue for immediate remediation.

1. Upgrade Vociferous to version 4.4.2 or later, where this vulnerability is patched. 2. If upgrading immediately is not possible, restrict network access to the export_file API endpoint by implementing firewall rules or network segmentation to limit exposure. 3. Harden CORS policies by configuring app.py to allow only trusted origins instead of wildcard or localhost. 4. Implement additional input validation and sanitization on the filename parameter to reject directory traversal sequences and enforce strict path constraints. 5. Introduce authentication and authorization controls on the API endpoints to prevent unauthenticated access. 6. Monitor logs for suspicious file write activities or unexpected API calls. 7. Conduct regular security audits and penetration testing focused on API endpoints and file handling logic. 8. Educate developers on secure coding practices related to file system access and API security.