Description
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, in src/endpoints/search.js, the hostname is checked against /^\d+\.\d+\.\d+\.\d+$/. This only matches literal dotted-quad IPv4 (e.g. 127.0.0.1, 10.0.0.1). It does not catch: localhost (hostname, not dotted-quad), [::1] (IPv6 loopback), and DNS names resolving to internal addresses (e.g. localtest.me -> 127.0.0.1). A separate port check (urlObj.port !== '') limits exploitation to services on default ports (80/443), making this lower severity than a fully unrestricted SSRF. This issue has been patched in version 1.17.0.
Published: 2026-04-02
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑side request forgery through localhost and IPv6
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in SillyTavern’s /api/search/visit endpoint allows an attacker to cause the server to issue HTTP requests to hostnames supplied by the user. Because the server only validates numeric IPv4 dotted‑quad addresses, values such as "localhost", the IPv6 loopback "[::1]", or DNS names that resolve to internal IPv4 addresses bypass the check. The attacker can direct the server to talk to services on the local machine or within the local network, exposing sensitive data or enabling further lateral movement. The weakness maps to the classic server‑side request forgery category.

Affected Systems

All installations of SillyTavern running a version earlier than 1.17.0 are affected, regardless of operating system or deployment environment. The issue is confined to the search‑visit endpoint logic and was addressed in the 1.17.0 release.

Risk and Exploitability

This flaw has a CVSS score of 5.0, placing it in the medium severity range. No EPSS score is available, and it is not listed in CISA’s Known Exploited Vulnerabilities catalog, suggesting no confirmed exploits in the wild yet. An attacker would need either local access or a way to submit a request to the vulnerable endpoint; the exploit is limited to services listening on default ports 80 or 443, reducing the potential impact compared to a fully unrestricted SSRF but still providing a meaningful attack surface.

Generated by OpenCVE AI on April 2, 2026 at 22:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official SillyTavern patch (version 1.17.0 or later) by downloading the latest release from the project's GitHub repository.

Generated by OpenCVE AI on April 2, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wm7j-m6jm-8797 SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sillytavern
Sillytavern sillytavern
Vendors & Products Sillytavern
Sillytavern sillytavern

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, in src/endpoints/search.js, the hostname is checked against /^\d+\.\d+\.\d+\.\d+$/. This only matches literal dotted-quad IPv4 (e.g. 127.0.0.1, 10.0.0.1). It does not catch: localhost (hostname, not dotted-quad), [::1] (IPv6 loopback), and DNS names resolving to internal addresses (e.g. localtest.me -> 127.0.0.1). A separate port check (urlObj.port !== '') limits exploitation to services on default ports (80/443), making this lower severity than a fully unrestricted SSRF. This issue has been patched in version 1.17.0.
Title SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Sillytavern Sillytavern
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T17:48:03.787Z

Reserved: 2026-03-30T16:03:31.048Z

Link: CVE-2026-34526

cve-icon Vulnrichment

Updated: 2026-04-02T17:47:54.532Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T18:16:29.917

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:06Z

Weaknesses