CVE-2026-34523: SillyTavern is a locally installed user interface that allows users to interact with text generation large language mode
mediumvulnerability
security
Summary
SillyTavern is a locally installed interface for interacting with text generation models and AI tools. Before version 1.17.0, it had a path traversal vulnerability (a flaw that lets attackers access files outside the intended directory) that allowed unauthenticated users to check whether files exist anywhere on the server by sending specially encoded requests with "../" sequences to the file routes.
Solution / Mitigation
This issue has been patched in version 1.17.0.
Vulnerability Details
CVSS Score
5.3(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
network
Attack Complexity
low
Privileges Required
none
User Interaction
none
Disclosure Date
April 2, 2026
Classification
Attack Type
Other
Attack SophisticationTrivial
Impact (CIA+S)
confidentiality
AI Component TargetedInference
Affected Vendors
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-34523
First tracked: April 2, 2026 at 08:08 PM
Classified by LLM (prompt v3) · confidence: 92%