{"data":{"id":"d8557c5b-8756-44fd-ad21-f8373dc101f1","title":"CVE-2026-35487: text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticate","summary":"CVE-2026-35487 is a path traversal vulnerability (a flaw that lets attackers read files outside the intended directory) in text-generation-webui, an open-source tool for running large language models through a web interface. Before version 4.3, attackers could exploit the load_prompt() function without logging in to read any .txt file on the server and see its contents in the API response.","solution":"Update text-generation-webui to version 4.3 or later, where this vulnerability is fixed.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-35487","publishedAt":"2026-04-07T16:16:26.853Z","cveId":"CVE-2026-35487","cweIds":["CWE-22"],"cvssScore":"5.3","cvssSeverity":"medium","severity":"medium","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["text-generation-webui"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-07T16:16:26.853Z","capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}