CVE-2026-34523

Name of the Vulnerable Software and Affected Versions SillyTavern versions prior to 1.17.0

Description A path traversal vulnerability exists in the static file route handler, allowing unauthenticated users to determine the existence of files on the server's filesystem. Attackers can send percent-encoded '../' sequences (%2E%2E%2F) in requests to static file routes to check for file existence. The vulnerable code is located in the createRouteHandler function (src/users.js:947–963). The vulnerability occurs because req.params[0] is decoded without proper boundary checks, allowing paths like /characters/%2E%2E%2F%2E%2E%2FUsers/kirakira to resolve outside the intended directory. Affected routes include /characters/*, /user/files/*, /assets/*, /user/images/*, /backgrounds/*, and /User%20Avatars/*. While file contents cannot be read, the existence of files can be determined.

Recommendations Update to version 1.17.0 or later.