Skip to main content

CVE-2026-34526

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-01 https://github.com/SillyTavern/SillyTavern GHSA-wm7j-m6jm-8797
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 01, 2026 - 22:16 vuln.today
CVE Published
Apr 01, 2026 - 21:42 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

Details

Distinct from CVE-2025-59159 and CVE-2026-26286 (all fixed in v1.16.0). This endpoint is still unpatched.

In src/endpoints/search.js line 419, the hostname is checked against /^\d+\.\d+\.\d+\.\d+$/. This only matches literal dotted-quad IPv4 (e.g. 127.0.0.1, 10.0.0.1). It does not catch:

  • localhost (hostname, not dotted-quad)
  • [::1] (IPv6 loopback)
  • DNS names resolving to internal addresses (e.g. localtest.me -> 127.0.0.1)

A separate port check (urlObj.port !== '') limits exploitation to services on default ports (80/443), making this lower severity than a fully unrestricted SSRF.

PoC

  1. Start SillyTavern v1.16.0 normally
  2. Send requests to compare blocked vs bypassed (requires a valid session cookie or CSRF disabled):
bash
# Blocked - dotted-quad matched by regex
curl -s -o /dev/null -w "%{http_code}" -X POST http://127.0.0.1:8000/api/search/visit \
  -H "Content-Type: application/json" \
  -d '{"url": "http://127.0.0.1/", "html": true}'
# Returns: 400 (blocked)
# Bypassed - "localhost" is not dotted-quad
curl -s -o /dev/null -w "%{http_code}" -X POST http://127.0.0.1:8000/api/search/visit \
  -H "Content-Type: application/json" \
  -d '{"url": "http://localhost/", "html": true}'
# Returns: 500 (passed validation, fetch attempted, ECONNREFUSED because nothing on port 80)
# Bypassed - IPv6 loopback is not dotted-quad
curl -s -o /dev/null -w "%{http_code}" -X POST http://127.0.0.1:8000/api/search/visit \
  -H "Content-Type: application/json" \
  -d '{"url": "http://[::1]/", "html": true}'
# Returns: 500 (passed validation, fetch attempted)

The 400 vs 500 difference confirms localhost and [::1] pass the IP check. The 500 is ECONNREFUSED (nothing listening on port 80), not a validation rejection.

Impact

Server-side request forgery with partial restrictions. An authenticated user can force the server to fetch from internal hosts on default ports (80/443) using hostnames or IPv6 addresses that bypass the IP check. The full response body is returned. Lower severity than a fully unrestricted SSRF due to the port limitation.

Resolution

The issue was addressed in version 1.17.0 by improving IPv6 address validation

AnalysisAI

Server-side request forgery in SillyTavern's search endpoint allows authenticated users to bypass hostname validation and force the server to fetch from internal hosts on default ports (80/443) using alternative hostname representations. The vulnerability exists in v1.16.0 and earlier because the IPv4 validation regex only matches literal dotted-quad notation (e.g., 127.0.0.1), failing to block localhost, IPv6 loopback ([::1]), or DNS names resolving to internal addresses. The port restriction limits severity compared to fully unrestricted SSRF, but the full response body is returned to the attacker, enabling information disclosure. Patch available in v1.17.0.

Technical ContextAI

The vulnerability resides in src/endpoints/search.js line 419 where hostname validation uses a restrictive regex pattern /^\d+\.\d+\.\d+\.\d+$/ designed to block dotted-quad IPv4 addresses. However, this pattern fails to recognize alternative representations of localhost and loopback addresses: the hostname 'localhost' is alphanumeric and does not match; IPv6 loopback notation '[::1]' contains colons and brackets outside the regex scope; and DNS hostnames like 'localtest.me' that resolve to 127.0.0.1 are not statically validated. A secondary port check (urlObj.port !== '') only permits requests to default ports (80 and 443), which reduces the attack surface but does not prevent SSRF via these alternative hostname formats. The root cause is inadequate input validation (CWE-918: Server-Side Request Forgery) due to incomplete hostname normalization before regex matching. The affected product is the npm package 'sillytavern' running on Node.js.

RemediationAI

Upgrade SillyTavern to version 1.17.0 or later, which includes improved IPv6 address validation and corrected hostname matching logic. For users unable to upgrade immediately, apply the following mitigations: restrict network access to the SillyTavern instance to trusted users only, disable CSRF protections only if operationally necessary (enabling them prevents unauthenticated exploitation), disable or restrict the /api/search/visit endpoint if the search functionality is not required, and implement network-level egress filtering to block outbound connections to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8) from the SillyTavern process. Consult the official GitHub advisory at https://github.com/advisories/GHSA-wm7j-m6jm-8797 for additional vendor-recommended steps.

Share

CVE-2026-34526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy