{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34526", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:03:31.048Z", "datePublished": "2026-04-02T17:16:55.897Z", "dateUpdated": "2026-04-02T17:48:03.787Z"}, "containers": {"cna": {"title": "SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-wm7j-m6jm-8797", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-wm7j-m6jm-8797"}, {"name": "https://github.com/SillyTavern/SillyTavern/releases/tag/1.17.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/SillyTavern/SillyTavern/releases/tag/1.17.0"}], "affected": [{"vendor": "SillyTavern", "product": "SillyTavern", "versions": [{"version": "< 1.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:16:55.897Z"}, "descriptions": [{"lang": "en", "value": "SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, in src/endpoints/search.js, the hostname is checked against /^\\d+\\.\\d+\\.\\d+\\.\\d+$/. This only matches literal dotted-quad IPv4 (e.g. 127.0.0.1, 10.0.0.1). It does not catch: localhost (hostname, not dotted-quad), [::1] (IPv6 loopback), and DNS names resolving to internal addresses (e.g. localtest.me -> 127.0.0.1). A separate port check (urlObj.port !== '') limits exploitation to services on default ports (80/443), making this lower severity than a fully unrestricted SSRF. This issue has been patched in version 1.17.0."}], "source": {"advisory": "GHSA-wm7j-m6jm-8797", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-wm7j-m6jm-8797", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T17:47:59.886274Z", "id": "CVE-2026-34526", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:48:03.787Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34526", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T17:47:59.886274Z"}}}], "references": [{"url": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-wm7j-m6jm-8797", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:47:54.532Z"}}], "cna": {"title": "SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6", "source": {"advisory": "GHSA-wm7j-m6jm-8797", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "SillyTavern", "product": "SillyTavern", "versions": [{"status": "affected", "version": "< 1.17.0"}]}], "references": [{"url": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-wm7j-m6jm-8797", "name": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-wm7j-m6jm-8797", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/SillyTavern/SillyTavern/releases/tag/1.17.0", "name": "https://github.com/SillyTavern/SillyTavern/releases/tag/1.17.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, in src/endpoints/search.js, the hostname is checked against /^\\d+\\.\\d+\\.\\d+\\.\\d+$/. This only matches literal dotted-quad IPv4 (e.g. 127.0.0.1, 10.0.0.1). It does not catch: localhost (hostname, not dotted-quad), [::1] (IPv6 loopback), and DNS names resolving to internal addresses (e.g. localtest.me -> 127.0.0.1). A separate port check (urlObj.port !== '') limits exploitation to services on default ports (80/443), making this lower severity than a fully unrestricted SSRF. This issue has been patched in version 1.17.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:16:55.897Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34526", "state": "PUBLISHED", "dateUpdated": "2026-04-02T17:48:03.787Z", "dateReserved": "2026-03-30T16:03:31.048Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:16:55.897Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sillytavern:sillytavern:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7E2E14B3-75EF-4DC4-84BE-8C2F5D6949A4", "versionEndExcluding": "1.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, in src/endpoints/search.js, the hostname is checked against /^\\d+\\.\\d+\\.\\d+\\.\\d+$/. This only matches literal dotted-quad IPv4 (e.g. 127.0.0.1, 10.0.0.1). It does not catch: localhost (hostname, not dotted-quad), [::1] (IPv6 loopback), and DNS names resolving to internal addresses (e.g. localtest.me -> 127.0.0.1). A separate port check (urlObj.port !== '') limits exploitation to services on default ports (80/443), making this lower severity than a fully unrestricted SSRF. This issue has been patched in version 1.17.0."}], "id": "CVE-2026-34526", "lastModified": "2026-04-13T18:39:45.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:29.917", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/SillyTavern/SillyTavern/releases/tag/1.17.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-wm7j-m6jm-8797"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-wm7j-m6jm-8797"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SillyTavern", "source": "cna", "vendor": "SillyTavern"}, "product": "sillytavern", "vendor": "sillytavern"}], "analysis": {"en": {"generated_at": "2026-04-13T19:29:11.002555+00:00", "value": {"mitigation_remediation": ["Upgrade SillyTavern to version\u202f1.17.0 or later."], "summary": {"action": "Apply patch", "impact": "Server\u2011Side Request Forgery via localhost and IPv6 addresses, enabling access to internal services."}, "threat_synthesis": {"affected_systems": "All installations of SillyTavern older than version\u202f1.17.0 are affected. The application is open\u2011source and runs locally; the attack surface is the /api/search/visit endpoint in src/endpoints/search.js.", "description_and_impact": "The flaw allows an attacker to send requests to internal network addresses through the /api/search/visit endpoint because the hostname check only permits dotted\u2011quad IPs. Hostnames such as localhost, IPv6 loopback [::1], and DNS names that resolve to internal IPs are not blocked, enabling SSRF. The vulnerability is limited to services that listen on default ports (80 and 443), which reduces its severity compared with a fully unrestricted SSRF.", "risk_and_exploitability": "The CVSS base score of 5 indicates medium severity, and the EPSS score of less than 1\u202f% shows a low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires sending a request to the vulnerable endpoint, either from an authenticated or unauthenticated user if the API is publicly accessible, and the attacker must know at least a valid default port to leverage the fallback port check."}}}}, "created": "2026-04-03T07:32:18.069776+00:00", "updated": "2026-04-14T16:41:59.071129+00:00", "vendors": ["sillytavern", "sillytavern$PRODUCT$sillytavern"]}