Description
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in chat endpoints allows an authenticated attacker to read and delete arbitrary files under their user data root (for example secrets.json and settings.json) by supplying avatar_url="..". This issue has been patched in version 1.17.0.
Published: 2026-04-02
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read/Deletion
Action: Immediate Patch
AI Analysis

Impact

A path traversal flaw in SillyTavern’s /api/chats/export and /api/chats/delete endpoints allows an authenticated user to read or delete any file beneath the user’s data root, such as secrets.json and settings.json. The weakness is a file path manipulation vulnerability (CWE-22), granting the attacker compromise of confidential data and the ability to alter or destroy user configuration files.

Affected Systems

SillyTavern versions published before 1.17.0, running locally and accessed via the web interface. Any user who can log in to the local instance can exploit the vulnerable endpoints and impact the user’s data directory.

Risk and Exploitability

The flaw carries a CVSS score of 8.3, indicating high severity, while the EPSS assessment is below 1%, suggesting a low current likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack requires only a locally authenticated session, so the risk is greatest for users running the application with sufficient privileges, who can trigger the file read or delete operations.

Generated by OpenCVE AI on April 13, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SillyTavern to version 1.17.0 or later.

Generated by OpenCVE AI on April 13, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vprr-q85p-79mf SillyTavern: Path Traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user data root
History

Mon, 13 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sillytavern:sillytavern:*:*:*:*:*:node.js:*:*

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sillytavern
Sillytavern sillytavern
Vendors & Products Sillytavern
Sillytavern sillytavern

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in chat endpoints allows an authenticated attacker to read and delete arbitrary files under their user data root (for example secrets.json and settings.json) by supplying avatar_url="..". This issue has been patched in version 1.17.0.
Title SillyTavern: Path traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user data root
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Sillytavern Sillytavern
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T18:12:52.047Z

Reserved: 2026-03-30T16:03:31.048Z

Link: CVE-2026-34524

cve-icon Vulnrichment

Updated: 2026-04-02T18:30:15.841Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:29.763

Modified: 2026-04-13T18:43:05.203

Link: CVE-2026-34524

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:00Z

Weaknesses