CVE-2026-44650: SillyTavern is a locally installed user interface that allows users to interact with text generation large language mode
Summary
SillyTavern is a locally installed interface for interacting with text generation AI models, image generators, and voice tools. Prior to version 1.18.0, a vulnerability allowed attackers to delete the entire user extensions directory without authentication by sending a specially crafted request to the delete endpoint that bypassed filename validation (a security check that prevents malicious file paths).
Solution / Mitigation
This vulnerability is fixed in version 1.18.0. Users should update SillyTavern to 1.18.0 or later.
Vulnerability Details
9.1(critical)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
network
low
none
none
May 29, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-44650
First tracked: May 29, 2026 at 08:09 PM
Classified by LLM (prompt v3) · confidence: 92%