SillyTavern exposes an endpoint that accepts an attacker‑controlled base URL and uses it directly for outbound server‑side fetches. Because the base URL is not validated, an authenticated user with only low privileges can point the request to internal or loopback services and receive the response body of the /search route. This allows the user to read internal data or interact with services that are otherwise inaccessible from the network, potentially leading to further exploitation or data leakage. The vulnerability is formally identified by CWE‑918 and is mitigated in version 1.18.0 of SillyTavern.

The vulnerable component is the SillyTavern SearXNG Search Proxy interface available in locally installed SillyTavern versions prior to 1.18.0. All releases of SillyTavern older than 1.18.0 that have not been patched expose the /api/search/searxng endpoint and therefore are affected.

The CVSS score of 8.5 marks this flaw as a high‑severity vulnerability. EPSS data is not available, and it is not listed in CISA’s KEV catalog, suggesting that known exploits have not yet been reported. The attack requires an authenticated user, but only low privileges are needed, so once a user has logged in, the SSRF can be leveraged instantly. Because the attack vector is internal or localhost requests, an attacker can trivially target services inside the same host or network segment. The lack of an official workaround means that the only safe mitigation is to apply the vendor’s patch or otherwise disable the vulnerable endpoint.