Description
SillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting).
Recommendation
Update the sillytavern package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.17.0
- Patched version(s): 1.18.0
References
Related Issues
- SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6 - CVE-2026-34526
- Axios: no_proxy bypass via IP alias allows SSRF - CVE-2026-42038
- SillyTavern has a SSRF vulnerability in the CORS proxy middleware - CVE-2026-44652
- Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4) - CVE-2026-41321
You might also like:
- Tags:
- npm
- sillytavern
Anything's wrong? Let us know Last updated on May 27, 2026