The vulnerability exists in the export_file route of Vociferous versions earlier than 4.4.2. The API accepts a JSON payload that contains a filename and content, but the filename is not validated by the backend. This omission allows directory traversal sequences such as "../", which enable an attacker to instruct the application to write arbitrary data to any directory that is writable by the process user. The API is unauthenticated and the CORS policy is permissive, allowing cross‑origin requests from any domain; thus the likely attack vector is an unauthenticated HTTP request that originates from a foreign origin, inferred from the permissive CORS setting. If an attacker supplies a file that contains executable code or modifies a configuration file, the application will run that code with the privileges of the process, giving the attacker remote code execution capabilities. The weakness involves missing input validation (CWE‑22) and absent authentication controls (CWE‑306).

The affected product is Vociferous developed by WanderingAstronomer. All releases prior to 4.4.2 contain the flaw. No other vendors or product versions are indicated in the advisory. This is a cross‑platform offline speech‑to‑text application with local AI refinement.

The vulnerability has a CVSS score of 10, indicating critical severity, yet the EPSS score is less than 1%, suggesting a low probability of exploitation at present. It is not listed in CISA’s KEV catalog. Exploitation requires supplying a crafted JSON payload to the unauthenticated /export_file endpoint and using directory traversal to write malicious files. Because the shared CORS policy accepts any origin, an attacker can bypass the native user interface and submit these requests without authentication, inferred from the available configuration. If a malicious executable is written, remote code execution can occur with the application’s privileges.