PatchSiren cyber security CVE debrief
CVE-2026-46372 SillyTavern CVE debrief
CVE-2026-46372 is a high-severity (CVSS 8.5) server-side request forgery (SSRF) vulnerability in SillyTavern, a locally installed user interface for interacting with AI models. The vulnerability exists in versions prior to 1.18.0 in the `/api/search/searxng` endpoint, which accepts attacker-controlled `baseUrl` parameters and uses them directly to construct outbound server-side HTTP requests. An authenticated low-privilege attacker can exploit this to probe and retrieve responses from internal services or loopback addresses that would otherwise be inaccessible from the external network. The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and was remediated in SillyTavern version 1.18.0. Organizations running affected versions should prioritize upgrading to the patched release to prevent potential internal network reconnaissance or data exfiltration through SSRF exploitation.
- Vendor
- SillyTavern
- Product
- Unknown
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations and individuals running SillyTavern instances, particularly those deployed in environments with access to sensitive internal services or with multi-user configurations where low-privilege accounts exist. Security teams responsible for AI/ML tooling infrastructure and developers maintaining forked or customized SillyTavern deployments.
Technical summary
The `/api/search/searxng` endpoint in SillyTavern prior to 1.18.0 fails to validate or restrict user-supplied `baseUrl` values before incorporating them into server-side HTTP requests. This allows authenticated attackers to specify arbitrary URLs, including internal network addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and loopback interfaces (127.0.0.1, ::1), effectively using the SillyTavern server as a proxy to probe otherwise unreachable services. The vulnerability requires low-privilege authentication but is exploitable over the network with no user interaction. The CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) reflects network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, high confidentiality impact, and low integrity impact.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade SillyTavern to version 1.18.0 or later to remediate the SSRF vulnerability
- Review network segmentation to ensure internal services are not exposed to the SillyTavern host
- Implement input validation on any custom deployments that may have similar `baseUrl` parameter handling
- Monitor access logs for unusual outbound requests from SillyTavern instances to internal IP ranges or loopback addresses
- If immediate patching is not feasible, consider restricting SillyTavern access to trusted administrative users only
Evidence notes
Vulnerability description and fix version confirmed via GitHub Security Advisory. CVSS vector and CWE classification sourced from NVD record. No known exploitation in the wild or CISA KEV listing at time of disclosure.
Official resources
-
CVE-2026-46372 CVE record
CVE.org
-
CVE-2026-46372 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29