Description
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, POST /api/extensions/delete endpoint accepts extensionName: "." which bypasses sanitize-filename validation, causing the entire user extensions directory to be recursively deleted. No authentication is required in the default configuration. This vulnerability is fixed in 1.18.0.
Published: 2026-05-29
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in SillyTavern’s POST /api/extensions/delete endpoint, where the server accepts an extensionName parameter without adequate validation. Supplying the value "." bypasses the sanitize‑filename routine, causing a recursive deletion of the entire user extensions directory. This results in loss of all installed extensions and any configuration or script data they contain, directly compromising the integrity and confidentiality of the user’s environment.

Affected Systems

SillyTavern SillyTavern – any release prior to version 1.18.0. The fix is included in 1.18.0 and later versions.

Risk and Exploitability

The flaw carries a CVSS score of 9.1, marking it a critical vulnerability. No EPSS score is available, and it is not listed in the CISA KEV catalog. Exploitation only requires an unauthenticated POST request to the vulnerable endpoint. In the default configuration the API is reachable locally, so a local attacker can trigger the deletion with ease. If the API is exposed externally, a remote attacker could also exploit it. The vulnerability was addressed in SillyTavern 1.18.0; any earlier installation remains at risk.

Generated by OpenCVE AI on May 29, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SillyTavern update to version 1.18.0 or newer to restore proper filename validation and prevent recursive deletion.
  • If the /api/extensions/delete functionality is not needed, remove the endpoint or restrict its access by requiring authentication or limiting it to local connections.
  • When the API must remain available, enforce network restrictions (firewall rules or host‑based controls) so that only trusted local processes can reach the SillyTavern port, thereby reducing the attack surface.

Generated by OpenCVE AI on May 29, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-886q-f44j-h6wh SillyTavern has a Path Traversal issue
History

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, POST /api/extensions/delete endpoint accepts extensionName: "." which bypasses sanitize-filename validation, causing the entire user extensions directory to be recursively deleted. No authentication is required in the default configuration. This vulnerability is fixed in 1.18.0.
Title SillyTavern: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:13:57.913Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44650

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-29T19:16:24.857

Modified: 2026-05-29T19:16:24.857

Link: CVE-2026-44650

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:30:05Z

Weaknesses