CVE-2026-44651 SillyTavern CVE debrief

Who should care

Organizations and individuals running SillyTavern instances prior to 1.18.0, particularly those exposing the application to network access. Security teams responsible for local AI/LLM interface deployments should prioritize patching.

Technical summary

The vulnerability resides in error handling logic that constructs HTTP 500 responses. When `fetch(url)` throws, the code executes `res.status(500).send('Error occurred while trying to proxy to: ' + url + ' ' + error)` where `url` is derived from `req.params.url`. The lack of HTML escaping permits injection of arbitrary markup and script content. This is a classic reflected XSS pattern where unsanitized user input is reflected back in the response. The attack requires the victim to visit a maliciously crafted URL containing the payload in the URL parameter.

Defensive priority

medium

Recommended defensive actions

• Upgrade SillyTavern to version 1.18.0 or later to remediate this vulnerability
• If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to detect and block requests containing malicious URL parameters targeting the affected endpoint
• Review application logs for suspicious requests containing HTML or JavaScript payloads in URL parameters that may indicate exploitation attempts
• Validate and sanitize all user-supplied URL parameters server-side before rendering in any response content
• Consider implementing Content Security Policy (CSP) headers to mitigate the impact of any XSS vulnerabilities

Evidence notes

Vulnerability description confirms attacker-controlled `req.params.url` parameter is rendered without HTML escaping in error response. GitHub Security Advisory GHSA-xc4x-2452-5gc9 cited as primary source. Fix version 1.18.0 explicitly stated. CWE-79 classification confirmed in source metadata.

Official resources