CVE-2026-34524: SillyTavern is a locally installed user interface that allows users to interact with text generation large language mode
highvulnerabilityLLM-Specific
security
Summary
SillyTavern is a locally installed interface for interacting with text generation AI models and related tools. Before version 1.17.0, it had a path traversal vulnerability (a flaw where an attacker can access files outside the intended directory) that allowed authenticated attackers to read and delete arbitrary files like secrets.json and settings.json by manipulating the avatar_url parameter.
Solution / Mitigation
This issue has been patched in version 1.17.0. Users should update to version 1.17.0 or later.
Vulnerability Details
CVSS Score
8.3(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
network
Attack Complexity
low
Privileges Required
low
User Interaction
none
Disclosure Date
April 2, 2026
Classification
Attack Type
Other
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-34524
First tracked: April 2, 2026 at 08:08 PM
Classified by LLM (prompt v3) · confidence: 92%