CVE-2026-26286: SillyTavern is a locally installed user interface that allows users to interact with text generation large language mode
Summary
SillyTavern is a locally installed interface for interacting with text generation AI models and other AI tools. Versions before 1.16.0 had an SSRF vulnerability (server-side request forgery, where an attacker can make the server send requests to internal networks or services it shouldn't access), allowing authenticated users to read responses from internal services and private network resources through the asset download feature.
Solution / Mitigation
The vulnerability has been patched in version 1.16.0 by introducing a whitelist domain check for asset download requests. It can be reviewed and customized by editing the `whitelistImportDomains` array in the `config.yaml` file.
Vulnerability Details
EPSS: 0.0%
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-26286
First tracked: February 19, 2026 at 07:07 PM
Classified by LLM (prompt v3) · confidence: 92%