CVE-2026-35487

CVSS v3.1

5.3

Medium

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load prompt() allows reading any .txt file on the server filesystem. The file content is returned verbatim in the API response. This vulnerability is fixed in 4.3.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-35487

Affected Products

Text-Generation-Webui

CVE-2026-35487

Weakness Enumeration

Related Identifiers

Affected Products

References · 2