CVE-2026-35484

Name of the Vulnerable Software and Affected Versions text-generation-webui versions prior to 4.3

Description text-generation-webui, an open-source web interface for running Large Language Models, contains an unauthenticated path traversal flaw in the load preset() function. This allows an attacker to read any .yaml file on the server filesystem. The parsed YAML key-value pairs, which may include sensitive information like passwords, API keys, and connection strings, are then returned in the API response.

Recommendations Update to version 4.3 or later.