Description
SillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting).
Recommendation
Update the sillytavern package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.17.0
- Patched version(s): 1.18.0
References
Related Issues
- SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6 - CVE-2026-34526
- SillyTavern has a SSRF vulnerability in the CORS proxy middleware - CVE-2026-44652
- Axios: no_proxy bypass via IP alias allows SSRF - CVE-2026-42038
- Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click - CVE-2026-43941
You might also like:
- Tags:
- npm
- sillytavern
Anything's wrong? Let us know Last updated on May 27, 2026