Platform
nodejs
Component
sillytavern
Fixed in
1.17.1
1.17.0
CVE-2026-34523 describes a Path Traversal vulnerability discovered in SillyTavern, a character AI web UI. This vulnerability allows unauthenticated users to determine the existence of files on the server's filesystem by crafting specific requests. Affected versions are those prior to 1.17.0. A fix has been released in version 1.17.0.
The primary impact of this vulnerability is information disclosure. An attacker can use percent-encoded ../ sequences in requests to static file routes to probe the server's filesystem. A 404 response indicates a file does not exist, while a 403 response confirms its presence. While this doesn't allow direct file access or modification, it provides valuable reconnaissance information. An attacker could use this to identify sensitive files, configuration files, or even internal directories, potentially leading to further exploitation attempts. This vulnerability is similar in concept to other path traversal flaws, where attackers leverage directory traversal sequences to bypass access controls.
CVE-2026-34523 was publicly disclosed on 2026-04-01. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. The CVSS score of 5.3 indicates a medium probability of exploitation.
Exploit Status
EPSS
0.08% (25% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade SillyTavern to version 1.17.0 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing percent-encoded ../ sequences. Additionally, review and restrict file permissions on the server to minimize the potential impact of file discovery. Regularly scan the server for unexpected files or directories.
Update SillyTavern to version 1.17.0 or higher. This version fixes the path traversal vulnerability that allows unauthenticated users to verify the existence of files on the server's filesystem. The update prevents unauthorized access to sensitive information.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34523 is a Path Traversal vulnerability in SillyTavern allowing attackers to determine file existence on the server. It affects versions before 1.17.0 and has a CVSS score of 5.3 (MEDIUM).
You are affected if you are running SillyTavern versions prior to 1.17.0. Check your version and upgrade immediately if necessary.
Upgrade SillyTavern to version 1.17.0 or later. As a temporary workaround, implement a WAF rule to block requests containing percent-encoded '../' sequences.
As of the current date, there are no confirmed reports of active exploitation of CVE-2026-34523, but it is publicly known and could be targeted.
Refer to the SillyTavern project's official repository or website for the latest security advisories and release notes related to CVE-2026-34523.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.