CVE-2026-34522: SillyTavern is a locally installed user interface that allows users to interact with text generation large language mode
Summary
SillyTavern, a locally installed interface for interacting with AI text generation models, had a path traversal vulnerability (a flaw that lets attackers write files outside the intended directory) in its /api/chats/import feature prior to version 1.17.0. An authenticated attacker could exploit this by injecting traversal sequences into the character_name field to place malicious files outside the chats directory.
Solution / Mitigation
This issue has been patched in version 1.17.0. Users should upgrade to version 1.17.0 or later.
Vulnerability Details
8.1(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
network
low
low
none
April 2, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-34522
First tracked: April 2, 2026 at 08:08 PM
Classified by LLM (prompt v3) · confidence: 92%