{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44650/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2025-59159"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["sillytavern (\u003c= 1.17.0)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","web-application","CVE-2026-44650"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eSillyTavern, a popular open-source AI storytelling application, is vulnerable to a path traversal attack (CVE-2026-44650) affecting versions 1.17.0 and earlier. The vulnerability resides in the extensions API endpoints, specifically \u003ccode\u003e/api/extensions/delete\u003c/code\u003e, \u003ccode\u003e/api/extensions/update\u003c/code\u003e, \u003ccode\u003e/api/extensions/version\u003c/code\u003e, \u003ccode\u003e/api/extensions/branches\u003c/code\u003e, and \u003ccode\u003e/api/extensions/switch\u003c/code\u003e. Due to insufficient validation and sanitization of the \u003ccode\u003eextensionName\u003c/code\u003e parameter, an unauthenticated attacker can send a crafted HTTP POST request with \u003ccode\u003eextensionName: \u0026quot;.\u0026quot;\u003c/code\u003e to these endpoints, causing the application to recursively delete the entire extensions directory. This vulnerability is exploitable by anyone with network access to the SillyTavern instance in its default configuration (basicAuthMode: false). Furthermore, this can be chained with CVE-2025-59159 (DNS rebinding) to enable remote exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable SillyTavern instance running version 1.17.0 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request to the \u003ccode\u003e/api/extensions/delete\u003c/code\u003e endpoint (or \u003ccode\u003e/update\u003c/code\u003e, \u003ccode\u003e/version\u003c/code\u003e, \u003ccode\u003e/branches\u003c/code\u003e, \u003ccode\u003e/switch\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker includes a JSON payload in the request body with the \u003ccode\u003eextensionName\u003c/code\u003e parameter set to \u003ccode\u003e.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application receives the request and proceeds to the \u003ccode\u003esrc/endpoints/extensions.js\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s validation logic incorrectly allows the \u003ccode\u003e.\u003c/code\u003e value because the check \u003ccode\u003e!request.body.extensionName\u003c/code\u003e occurs before sanitization.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esanitize-filename\u003c/code\u003e function converts the \u003ccode\u003e.\u003c/code\u003e to an empty string \u0026ldquo;\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epath.join(basePath, \u0026quot;\u0026quot;)\u003c/code\u003e function concatenates the base extensions path with the empty string, resulting in the \u003ccode\u003ebasePath\u003c/code\u003e itself.\u003c/li\u003e\n\u003cli\u003eThe application then executes \u003ccode\u003efs.promises.rm(extensionPath, { recursive: true })\u003c/code\u003e, effectively deleting the entire extensions directory (e.g., \u003ccode\u003edata\\default-user\\extensions\\\u003c/code\u003e).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability (CVE-2026-44650) leads to the complete and unrecoverable removal of all installed third-party extensions from the SillyTavern instance. The default configuration of SillyTavern does not require authentication, making the vulnerability easily exploitable. If the application is configured with \u003ccode\u003eglobal: true\u003c/code\u003e and admin privileges, the attacker can also delete the global extensions directory, affecting all users. The vulnerability can be combined with CVE-2025-59159 (DNS rebinding) to enable unauthenticated remote exploitation from a malicious website. The CVSS score is 9.1 (Critical).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested fix from the advisory to the \u003ccode\u003e/api/extensions/delete\u003c/code\u003e, \u003ccode\u003e/api/extensions/update\u003c/code\u003e, \u003ccode\u003e/api/extensions/version\u003c/code\u003e, \u003ccode\u003e/api/extensions/branches\u003c/code\u003e, and \u003ccode\u003e/api/extensions/switch\u003c/code\u003e endpoints, ensuring that validation occurs \u003cem\u003eafter\u003c/em\u003e sanitization and including a path traversal guard (see \u0026ldquo;Suggested Fix\u0026rdquo; in the content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SillyTavern Path Traversal Attempt via Extension Deletion\u003c/code\u003e to detect attempts to exploit CVE-2026-44650 targeting the \u003ccode\u003e/api/extensions/delete\u003c/code\u003e endpoint based on the \u003ccode\u003eextensionName\u003c/code\u003e parameter value.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SillyTavern Path Traversal Attempt via Other Endpoints\u003c/code\u003e to detect attempts to exploit CVE-2026-44650 on the \u003ccode\u003e/api/extensions/update\u003c/code\u003e, \u003ccode\u003e/api/extensions/version\u003c/code\u003e, \u003ccode\u003e/api/extensions/branches\u003c/code\u003e, and \u003ccode\u003e/api/extensions/switch\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP POST requests to the extensions API endpoints with suspicious \u003ccode\u003eextensionName\u003c/code\u003e values as an indicator of potential exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T22:24:16Z","date_published":"2026-05-12T22:24:16Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sillytavern-path-traversal/","summary":"SillyTavern versions 1.17.0 and earlier contain a path traversal vulnerability, CVE-2026-44650, in the `/api/extensions/delete` endpoint (and others), allowing an unauthenticated user to delete the entire extensions directory by providing '.' as the extension name, leading to data loss and potential remote exploitation via chaining with CVE-2025-59159.","title":"SillyTavern Unauthenticated Path Traversal in Extensions API","url":"https://feed.craftedsignal.io/briefs/2026-05-sillytavern-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-44650","version":"https://jsonfeed.org/version/1.1"}