Ygboy777-Alt

**Name of the Vulnerable Software and Affected Versions** SillyTavern versions prior to 1.18.0 **Description** An issue exists in the "/api/extensions/delete" endpoint where it accepts the value "." for the `extensionName` variable. This bypasses the `sanitize-filename` validation, which converts the dot to an empty string, causing the application to resolve the path to the base extensions directory. Consequently, the entire user extensions directory is recursively deleted. In the default configuration, no authentication is required to perform this action. Similar behavior is also present in the "/api/extensions/update", "/api/extensions/version", "/api/extensions/branches", and "/api/extensions/switch" endpoints. **Recommendations** Update to version 1.18.0. As a temporary workaround, restrict network access to the SillyTavern instance to prevent unauthorized requests to the affected API endpoints.