CVE-2026-35483: text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticate
Summary
CVE-2026-35483 is a path traversal vulnerability (a flaw that lets attackers read files outside intended directories) in text-generation-webui, an open-source tool for running large language models. Versions before 4.3 allow unauthenticated attackers to read files with extensions like .jinja, .jinja2, .yaml, or .yml from anywhere on the server.
Solution / Mitigation
Update to version 4.3 or later. The vulnerability is fixed in 4.3.
Vulnerability Details
5.3(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
network
low
none
none
April 7, 2026
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-35483
First tracked: April 7, 2026 at 02:08 PM
Classified by LLM (prompt v3) · confidence: 95%