cbcvebase.
CVE-2026-46372
published 2026-05-29

CVE-2026-46372: SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and…

PriorityP259high8.5CVSS 3.1
AVNACLPRLUINSCCHILAN
EXPLOIT
EPSS
0.87%
54.1th percentile
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it directly to build outbound server-side fetches. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the /search response body. This vulnerability is fixed in 1.18.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
sillytavernsillytavern< 1.18.01.18.0
sillytavernsillytavern>= 0 < 1.18.01.18.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/search/searxng
url/csrf-token
commandPOST /api/search/searxng HTTP/1.1 Content-Type: application/json X-CSRF-Token: {{csrf_token}} {"baseUrl":"http://{{interactsh-url}}/","query":"x"}
othershodan-query: http.title:"SillyTavern"
otherfofa-query: title="SillyTavern"
sigma
id: CVE-2026-46372
info:
  name: SillyTavern - Server-Side Request Forgery
  author: theamanrawat
  severity: high
  description: SillyTavern versions up to and including 1.17.0 expose the /api/search/searxng endpoint...
  cvss-score: 8.5
  cve-id: CVE-2026-46372
  cwe-id: CWE-918
tags: cve,cve2026,sillytavern,nodejs,ssrf
  • Detect SSRF exploitation attempts by monitoring POST requests to /api/search/searxng containing a user-controlled 'baseUrl' parameter pointing to internal/loopback addresses (e.g., 127.0.0.1, 169.254.169.254, 10.x.x.x, 192.168.x.x).
  • The Nuclei PoC template uses an out-of-band interaction (interactsh) to confirm SSRF: look for outbound HTTP GET requests originating from the SillyTavern server process triggered by a POST to /api/search/searxng.
  • The attack flow requires first fetching a CSRF token from /csrf-token and then supplying it as the X-CSRF-Token header in the malicious POST request. Monitor for sequential GET /csrf-token followed by POST /api/search/searxng from the same low-privilege session.
  • Fingerprint vulnerable SillyTavern instances via Shodan (http.title:"SillyTavern") or FOFA (title="SillyTavern") to identify exposed attack surface.
  • Confirm exploitation by checking whether the SillyTavern server body contains the string 'SillyTavern' (initial fingerprint step in the PoC) before the SSRF payload is sent.
  • ·The vulnerability is fixed in version 1.18.0, which introduces a Private Request Whitelisting filter. The fix is only effective if the filter is enabled and properly configured when hosting over a network.
  • ·The endpoint /api/search/searxng is accessible to authenticated low-privilege users, meaning standard authentication alone is insufficient to prevent exploitation on unpatched versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.