Server-Side Request Forgery in SillyTavern UI from SillyTavern
CVE-2026-26286

7.1HIGH

Key Information:

Vendor: Sillytavern
Status: Sillytavern
Vendor: CVE Published:; 19 February 2026

🔔 Create Sillytavern Vulnerability Alert

What is CVE-2026-26286?

SillyTavern, an interface for interacting with various generation models, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability. This issue allows authenticated users to craft malicious requests to the server's asset download endpoint, leading to unauthorized access to internal services and private network resources. The vulnerability can be exploited to obtain sensitive information from cloud metadata and internal services. It was addressed in version 1.16.0 through the implementation of a whitelist domain check for asset download requests, which can be configured in the whitelistImportDomains array within the config.yaml file.

Affected Version(s)

SillyTavern < 1.16.0

References

https://github.com/SillyTavern/SillyTavern/security/advis...

x_refsource_CONFIRM

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Feb 12, 2026

CVE-2026-26286 Data

JSON