CVE-2026-46372: SillyTavern is a locally installed user interface that allows users to interact with text generation large language mode
Summary
SillyTavern, a locally installed tool for interacting with AI text and image generation models, had a vulnerability in versions before 1.18.0 where the /api/search/searxng endpoint allowed authenticated users to trick the server into making requests to internal or hidden services (SSRF, or server-side request forgery, where an attacker manipulates a server into accessing resources it shouldn't). An attacker could use this to access data from services that should only be available internally.
Solution / Mitigation
This vulnerability is fixed in version 1.18.0.
Vulnerability Details
8.5(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
network
low
low
none
May 29, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-46372
First tracked: May 29, 2026 at 08:09 PM
Classified by LLM (prompt v3) · confidence: 85%