{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sillytavern/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","sillytavern"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSillyTavern, a local web UI for large language models, is vulnerable to a path traversal attack. This vulnerability, affecting versions 1.16.0 and earlier, stems from insufficient input validation in the \u003ccode\u003eavatar_url\u003c/code\u003e parameter of the \u003ccode\u003e/api/chats/export\u003c/code\u003e and \u003ccode\u003e/api/chats/delete\u003c/code\u003e endpoints. An authenticated attacker can exploit this flaw to read or delete arbitrary files within the user\u0026rsquo;s data directory. The vulnerability exists because the application fails to adequately sanitize path traversal sequences like \u003ccode\u003e..\u003c/code\u003e when constructing file paths. This can lead to the exposure of sensitive information such as \u003ccode\u003esecrets.json\u003c/code\u003e and \u003ccode\u003esettings.json\u003c/code\u003e, or the deletion of crucial user data, particularly in multi-user or remotely-accessible deployments. The vulnerability was patched in version 1.17.0 and assigned CVE-2026-34524.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the SillyTavern application using valid credentials, obtaining a session cookie and CSRF token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/api/chats/export\u003c/code\u003e or \u003ccode\u003e/api/chats/delete\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eavatar_url\u003c/code\u003e parameter in the request body to a path traversal sequence, such as \u003ccode\u003e..\u003c/code\u003e, to navigate outside the intended \u0026ldquo;chats\u0026rdquo; directory.\u003c/li\u003e\n\u003cli\u003eIn the \u003ccode\u003e/api/chats/export\u003c/code\u003e endpoint, the attacker specifies the \u003ccode\u003efile\u003c/code\u003e parameter to point to the desired file to read, such as \u003ccode\u003esecrets.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server-side application uses \u003ccode\u003epath.join\u003c/code\u003e to concatenate the user\u0026rsquo;s chats directory with the attacker-controlled \u003ccode\u003eavatar_url\u003c/code\u003e and \u003ccode\u003efile\u003c/code\u003e parameters, resulting in path traversal.\u003c/li\u003e\n\u003cli\u003eThe application reads the contents of the file specified by the attacker.\u003c/li\u003e\n\u003cli\u003eIn the \u003ccode\u003e/api/chats/delete\u003c/code\u003e endpoint, the attacker specifies the \u003ccode\u003echatfile\u003c/code\u003e parameter to point to the desired file to delete, such as \u003ccode\u003esettings.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application deletes the file specified by the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have significant consequences. Attackers can gain unauthorized access to sensitive configuration files like \u003ccode\u003esecrets.json\u003c/code\u003e, potentially exposing API keys, passwords, and other confidential information. Furthermore, the ability to delete arbitrary files allows attackers to disrupt the application\u0026rsquo;s functionality or even render a user\u0026rsquo;s account unusable by deleting critical files such as \u003ccode\u003esettings.json\u003c/code\u003e. The risk is amplified in multi-user environments or remotely-accessible deployments, where the impact can extend to multiple users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to SillyTavern version 1.17.0 or later to patch CVE-2026-34524.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SillyTavern Path Traversal Attempt via API Export\u0026rdquo; to detect attempts to exploit the \u003ccode\u003e/api/chats/export\u003c/code\u003e endpoint by monitoring for path traversal sequences in the \u003ccode\u003ecs-uri-query\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SillyTavern Path Traversal Attempt via API Delete\u0026rdquo; to detect attempts to exploit the \u003ccode\u003e/api/chats/delete\u003c/code\u003e endpoint by monitoring for path traversal sequences in the \u003ccode\u003ecs-uri-query\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual requests to \u003ccode\u003e/api/chats/export\u003c/code\u003e or \u003ccode\u003e/api/chats/delete\u003c/code\u003e with suspicious \u003ccode\u003eavatar_url\u003c/code\u003e parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T12:00:00Z","date_published":"2026-04-02T12:00:00Z","id":"/briefs/2026-04-sillytavern-path-traversal/","summary":"A path traversal vulnerability in SillyTavern versions 1.16.0 and earlier allows an authenticated attacker to read and delete arbitrary files under their user data root by manipulating the avatar_url parameter in the `/api/chats/export` and `/api/chats/delete` endpoints.","title":"SillyTavern Path Traversal Vulnerability in Chat Endpoints","url":"https://feed.craftedsignal.io/briefs/2026-04-sillytavern-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Sillytavern","version":"https://jsonfeed.org/version/1.1"}