VYPR

npm package

sillytavern

pkg:npm/sillytavern

Vulnerabilities (10)

  • CVE-2026-44652MedMay 29, 2026
    affected < 1.18.0fixed 1.18.0

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, corsProxyMiddleware forwards req.params.url directly into fetch(url, ...). It on

  • CVE-2026-44651MedMay 29, 2026
    affected < 1.18.0fixed 1.18.0

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, when fetch(url) throws, the code sends: res.status(500).send('Error occurred whi

  • CVE-2026-44650CriMay 29, 2026
    affected < 1.18.0fixed 1.18.0

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, POST /api/extensions/delete endpoint accepts extensionName: "." which bypasses s

  • CVE-2026-44649CriMay 29, 2026
    affected < 1.18.0fixed 1.18.0

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik)

  • CVE-2026-44648HigMay 29, 2026
    affected < 1.18.0fixed 1.18.0

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session dat

  • CVE-2026-34526MedApr 2, 2026
    affected < 1.17.0fixed 1.17.0

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, in src/endpoints/search.js, the hostname is checked against /^\d+\.\d+\.

  • CVE-2026-34524HigApr 2, 2026
    affected < 1.17.0fixed 1.17.0

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in chat endpoints allows an authenticated

  • CVE-2026-34523MedApr 2, 2026
    affected < 1.17.0fixed 1.17.0

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in the static file route handler allows a

  • CVE-2026-34522HigApr 2, 2026
    affected < 1.17.0fixed 1.17.0

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in /api/chats/import allows an authentica

  • CVE-2025-59159CriOct 6, 2025
    affected < 1.13.4fixed 1.13.4

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. In versions prior to 1.13.4, the web user interface for SillyTavern is susceptible to DNS rebindi