CVE-2026-34526: SillyTavern is a locally installed user interface that allows users to interact with text generation large language mode
Summary
SillyTavern, a local application that lets users interact with AI text generation models and other AI tools, had a security flaw in versions before 1.17.0 where it didn't properly validate all types of network addresses. The validation only checked for standard IPv4 addresses (like 127.0.0.1) but missed other ways to refer to the local computer, such as 'localhost' or IPv6 addresses, which could allow SSRF (server-side request forgery, where an attacker tricks the application into making unwanted network requests to internal services).
Solution / Mitigation
Update to version 1.17.0 or later, where this issue has been patched.
Vulnerability Details
5(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
network
low
low
none
April 2, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-34526
First tracked: April 2, 2026 at 08:08 PM
Classified by LLM (prompt v3) · confidence: 85%