CVE-2026-35485

Name of the Vulnerable Software and Affected Versions text-generation-webui versions prior to 4.3

Description text-generation-webui, an open-source web interface for running Large Language Models, contains a path traversal flaw in the load grammar() function. This allows an unauthenticated attacker to read any file on the server filesystem. The issue arises because the application does not server-side validate dropdown values, enabling attackers to submit directory traversal payloads (e.g., ../../../etc/passwd) via the API. The server then returns the full file contents in the response.

Recommendations Update to version 4.3 or later.