CVE-2026-26286

Name of the Vulnerable Software and Affected Versions SillyTavern versions prior to 1.16.0

Description SillyTavern is a locally installed user interface for interacting with large language models, image generation engines, and text-to-speech voice models. A Server-Side Request Forgery (SSRF) exists in the asset download endpoint for versions prior to 1.16.0. This allows authenticated users to make arbitrary HTTP requests from the server and read the full response body, potentially exposing internal services, cloud metadata, and private network resources. The issue is addressed by a whitelist domain check for asset download requests introduced in version 1.16.0, configurable via the whitelistImportDomains array in the config.yaml file.

Recommendations Upgrade to SillyTavern version 1.16.0 or later. Review and customize the whitelistImportDomains array in the config.yaml file to ensure appropriate domain restrictions.