npm package
sillytavern
pkg:npm/sillytavern
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44652 | Med | — | < 1.18.0 | 1.18.0 | May 29, 2026 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, corsProxyMiddleware forwards req.params.url directly into fetch(url, ...). It on | |
| CVE-2026-44651 | Med | — | < 1.18.0 | 1.18.0 | May 29, 2026 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, when fetch(url) throws, the code sends: res.status(500).send('Error occurred whi | |
| CVE-2026-44650 | Cri | 9.1 | < 1.18.0 | 1.18.0 | May 29, 2026 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, POST /api/extensions/delete endpoint accepts extensionName: "." which bypasses s | |
| CVE-2026-44649 | Cri | 9.8 | < 1.18.0 | 1.18.0 | May 29, 2026 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) | |
| CVE-2026-44648 | Hig | 7.5 | < 1.18.0 | 1.18.0 | May 29, 2026 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session dat | |
| CVE-2026-34526 | Med | 5.0 | < 1.17.0 | 1.17.0 | Apr 2, 2026 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, in src/endpoints/search.js, the hostname is checked against /^\d+\.\d+\. | |
| CVE-2026-34524 | Hig | 8.3 | < 1.17.0 | 1.17.0 | Apr 2, 2026 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in chat endpoints allows an authenticated | |
| CVE-2026-34523 | Med | 5.3 | < 1.17.0 | 1.17.0 | Apr 2, 2026 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in the static file route handler allows a | |
| CVE-2026-34522 | Hig | 8.1 | < 1.17.0 | 1.17.0 | Apr 2, 2026 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in /api/chats/import allows an authentica | |
| CVE-2025-59159 | Cri | 9.6 | < 1.13.4 | 1.13.4 | Oct 6, 2025 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. In versions prior to 1.13.4, the web user interface for SillyTavern is susceptible to DNS rebindi |
- affected < 1.18.0fixed 1.18.0
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, corsProxyMiddleware forwards req.params.url directly into fetch(url, ...). It on
- affected < 1.18.0fixed 1.18.0
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, when fetch(url) throws, the code sends: res.status(500).send('Error occurred whi
- affected < 1.18.0fixed 1.18.0
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, POST /api/extensions/delete endpoint accepts extensionName: "." which bypasses s
- affected < 1.18.0fixed 1.18.0
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik)
- affected < 1.18.0fixed 1.18.0
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session dat
- affected < 1.17.0fixed 1.17.0
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, in src/endpoints/search.js, the hostname is checked against /^\d+\.\d+\.
- affected < 1.17.0fixed 1.17.0
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in chat endpoints allows an authenticated
- affected < 1.17.0fixed 1.17.0
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in the static file route handler allows a
- affected < 1.17.0fixed 1.17.0
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in /api/chats/import allows an authentica
- affected < 1.13.4fixed 1.13.4
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. In versions prior to 1.13.4, the web user interface for SillyTavern is susceptible to DNS rebindi