Home / Vulnerability Intelligence / CVE-2026-27897

CVE-2026-27897 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: March 11, 2026

Vociferous - Path Traversal

Published: March 11, 2026Updated: March 11, 2026Remote Exploitable

Overview

Vociferous < 4.4.2 contains a path traversal caused by lack of filename validation in export_file API, letting unauthenticated remote attackers write arbitrary files via crafted JSON payload, exploit requires no authentication.

Severity & Score

Severity: Critical

CVSS Score: 10.0

EPSS Score: 28.9%(Probability of exploitation in next 30 days)

Impact

Remote attackers can write arbitrary files with current user permissions, potentially leading to data tampering or system compromise.

Mitigation

Update to version 4.4.2 or later.

References

https://github.com/WanderingAstronomer/Vociferous/security/advisories/GHSA-7cpr-frgj-h85v

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 11, 2026

🔴 CVE-2026-27897 - Critical (10) Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application accepts a JSON payload containing a filename and conte... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27897/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-27897
Severity: Critical
CVSS Score: 10.0
Type: path_traversal
Status: new
EPSS: 28.9%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

28.9%Probability of exploitation in the next 30 days