SillyTavern has a reflected XSS vulnerability in the CORS proxy middleware
- Severity:
- Medium
Description
Fixed in SillyTavern 1.18.0: a user-provided URL is no longer reflected in the HTTP response body.
Recommendation
Update the sillytavern package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.17.0
- Patched version(s): 1.18.0
References
Related Issues
- SillyTavern has a SSRF vulnerability in the CORS proxy middleware - CVE-2026-44652
- SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory - CVE-2026-34522
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- music-metadata has an infinite loop vulnerability in ASF parser - CVE-2026-32256
You might also like:
- Tags:
- npm
- sillytavern
Anything's wrong? Let us know Last updated on May 12, 2026