Home / Vulnerability Intelligence / CVE-2026-34524

CVE-2026-34524 - Vulnerability Analysis

HighCVSS: 8.3

Last Updated: April 2, 2026

SillyTavern - Path Traversal

Published: April 2, 2026Updated: April 2, 2026Remote Exploitable

Overview

SillyTavern < 1.17.0 contains a path traversal caused by improper validation of avatar_url parameter in chat endpoints, letting authenticated attackers read and delete arbitrary files under their user data root.

Severity & Score

Severity: High

CVSS Score: 8.3

Impact

Authenticated attackers can read and delete arbitrary files under their user data root, potentially exposing sensitive information or disrupting user data.

Mitigation

Update to version 1.17.0 or later.

References

https://github.com/SillyTavern/SillyTavern/releases/tag/1.17.0
https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-vprr-q85p-79mf

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-34524
Severity: High
CVSS Score: 8.3
Type: path_traversal
Status: new

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L