Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the ex…

Vociferous speech-to-text application contains a directory traversal vulnerability in versions prior to 4.4.2. The vulnerability exists in src/api/system.py within the export_file route where the application accepts JSON payloads with filename and content without proper validation. Due to unauthenticated API access and permissive CORS configuration, external attackers can exploit directory traversal sequences (../) to write arbitrary data to any location accessible by the current user's permissions. The vulnerability bypasses the intended native UI dialog file handling mechanism. This issue has been fixed in version 4.4.2.