CVE-2026-46372
published 2026-05-29CVE-2026-46372: SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and…
PriorityP259high8.5CVSS 3.1
AVNACLPRLUINSCCHILAN
EXPLOIT
EPSS
0.87%
54.1th percentile
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it directly to build outbound server-side fetches. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the /search response body. This vulnerability is fixed in 1.18.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sillytavern | sillytavern | < 1.18.0 | 1.18.0 |
| sillytavern | sillytavern | >= 0 < 1.18.0 | 1.18.0 |
Detection & IOCsextracted from sources · hover to see the quote
url/csrf-token
commandPOST /api/search/searxng HTTP/1.1
Content-Type: application/json
X-CSRF-Token: {{csrf_token}}
{"baseUrl":"http://{{interactsh-url}}/","query":"x"}
othershodan-query: http.title:"SillyTavern"
otherfofa-query: title="SillyTavern"
sigma
id: CVE-2026-46372 info: name: SillyTavern - Server-Side Request Forgery author: theamanrawat severity: high description: SillyTavern versions up to and including 1.17.0 expose the /api/search/searxng endpoint... cvss-score: 8.5 cve-id: CVE-2026-46372 cwe-id: CWE-918 tags: cve,cve2026,sillytavern,nodejs,ssrf
- →Detect SSRF exploitation attempts by monitoring POST requests to /api/search/searxng containing a user-controlled 'baseUrl' parameter pointing to internal/loopback addresses (e.g., 127.0.0.1, 169.254.169.254, 10.x.x.x, 192.168.x.x). ↗
- →The Nuclei PoC template uses an out-of-band interaction (interactsh) to confirm SSRF: look for outbound HTTP GET requests originating from the SillyTavern server process triggered by a POST to /api/search/searxng.
- →The attack flow requires first fetching a CSRF token from /csrf-token and then supplying it as the X-CSRF-Token header in the malicious POST request. Monitor for sequential GET /csrf-token followed by POST /api/search/searxng from the same low-privilege session.
- →Fingerprint vulnerable SillyTavern instances via Shodan (http.title:"SillyTavern") or FOFA (title="SillyTavern") to identify exposed attack surface.
- →Confirm exploitation by checking whether the SillyTavern server body contains the string 'SillyTavern' (initial fingerprint step in the PoC) before the SSRF payload is sent.
- ·The vulnerability is fixed in version 1.18.0, which introduces a Private Request Whitelisting filter. The fix is only effective if the filter is enabled and properly configured when hosting over a network.
- ·The endpoint /api/search/searxng is accessible to authenticated low-privilege users, meaning standard authentication alone is insufficient to prevent exploitation on unpatched versions.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
SillyTavern up to 1.17.x User Interface /api/search/searxng server-side request forgery
vuldb·2026-05-29·CVSS 8.5
CVE-2026-46372 [HIGH] SillyTavern up to 1.17.x User Interface /api/search/searxng server-side request forgery
A vulnerability was found in SillyTavern up to 1.17.x. It has been rated as critical. Impacted is an unknown function of the file /api/search/searxng of the component User Interface. This manipulation causes server-side request forgery.
The identification of this vulnerability is CVE-2026-46372. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is advised.
GHSA
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
ghsa·2026-05-19
CVE-2026-46372 [HIGH] CWE-918 SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
## Resolution
SillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting). Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance is being hosted over a network, as suggested by a console warning message and an officially published security checklist for administrators.
Documentation:
- https://docs.sillytavern.app/administration/config-yaml/#private-address-whitelisting
- https://docs.sillytavern.app/administration/#security-checklist
## Note on future SSRF findings
Since the request filter applies to the entire application, no SSRF vulnerabilities ag
No detection rules found.
Nuclei
SillyTavern - Server-Side Request Forgery
nuclei·CVSS 8.5
CVE-2026-46372 SillyTavern - Server-Side Request Forgery
SillyTavern - Server-Side Request Forgery
SillyTavern versions up to and including 1.17.0 expose the /api/search/searxng endpoint, which accepts an attacker-controlled baseUrl parameter and uses it directly to build outbound server-side fetch requests. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the full response body, enabling read access to internal services, cloud metadata endpoints, and private network resources.
Template:
id: CVE-2026-46372
info:
name: SillyTavern - Server-Side Request Forgery
author: theamanrawat
severity: high
description: |
SillyTavern versions up to and including 1.17.0 expose the /api/search/searxng endpoint, which accepts an attacker-controlled baseUrl parameter and uses it directly to build outbo
No writeups or analysis indexed.
2026-05-29
Published