CVE-2026-44648

Name of the Vulnerable Software and Affected Versions SillyTavern versions prior to 1.18.0

Description SillyTavern uses cookie-session for authentication, where session data such as user handles and permissions are stored in a signed cookie. The endpoints "POST /api/users/change-password" and "POST /api/users/recover-step2" update the password hash in the database but fail to expire active sessions. Since the session is stateless and stored entirely within the client cookie, the server lacks a mechanism to revoke a token after it has been issued. This allows an attacker with a stolen session cookie to maintain access to an account even after the legitimate user has reset their password.

Recommendations Update to version 1.18.0.