Home / Vulnerability Intelligence / CVE-2026-35050

CVE-2026-35050 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 6, 2026

text-generation-webui - Unrestricted File Upload

Published: April 6, 2026Updated: April 6, 2026Remote Exploitable

Overview

text-generation-webui < 4.1.1 contains an unrestricted file upload vulnerability caused by saving extension settings as Python files in the app root directory, letting attackers overwrite and execute arbitrary Python files, exploit requires user to save extension settings.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Attackers can execute arbitrary Python code remotely, leading to full system compromise.

Mitigation

Update to version 4.1.1 or later.

References

https://github.com/oobabooga/text-generation-webui/security/advisories/GHSA-jg96-p5p6-q3cv

Related Resources

Details

CVE ID: CVE-2026-35050
Severity: Critical
CVSS Score: 9.1
Type: unrestricted_file_upload
Status: new

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H