Description
SillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting).
Recommendation
Update the sillytavern package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.17.0
- Patched version(s): 1.18.0
References
Related Issues
- SillyTavern has a reflected XSS vulnerability in the CORS proxy middleware - CVE-2026-44651
- i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters - CVE-2026-42353
- SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl - CVE-2026-46372
- Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF - CVE-2025-62718
You might also like:
- Tags:
- npm
- sillytavern
Anything's wrong? Let us know Last updated on May 12, 2026