SillyTavern has a reflected XSS vulnerability in the CORS proxy middleware
- Severity:
- Medium
Description
Fixed in SillyTavern 1.18.0: a user-provided URL is no longer reflected in the HTTP response body.
Recommendation
Update the sillytavern package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.17.0
- Patched version(s): 1.18.0
References
Related Issues
- SillyTavern has a SSRF vulnerability in the CORS proxy middleware - CVE-2026-44652
- @payloadcms/next has Stored XSS in Admin Panel - CVE-2026-34748
- Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes - CVE-2026-34405
- React Router has XSS Vulnerability - CVE-2025-59057
You might also like:
- Tags:
- npm
- sillytavern
Anything's wrong? Let us know Last updated on May 12, 2026


