Can you explain this vulnerability to me?

CVE-2026-34523 is a path traversal vulnerability in the SillyTavern application versions 1.16.0 and earlier. It exists in the static file route handler, which improperly processes percent-encoded sequences like "%2E%2E%2F" (representing "../") in URL paths without adequate sanitization. This flaw allows an unauthenticated attacker to send specially crafted requests to check if files exist anywhere on the server's filesystem by observing the HTTP response codes.

Although the application blocks unauthorized file access and does not disclose file contents, the difference in HTTP responses (403 Forbidden if the file exists but access is denied, 404 Not Found if the file does not exist) acts as an oracle to reveal the presence of files. This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and was fixed in version 1.17.0 by adding proper boundary checks.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The primary impact of this vulnerability is information disclosure. An attacker can determine whether specific files exist on the server without authentication, which could aid in further attacks or reconnaissance.

However, the vulnerability does not allow reading file contents, modifying files, or disrupting service. The confidentiality impact is low, and there is no impact on integrity or availability.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending specially crafted HTTP requests containing percent-encoded directory traversal sequences (%2E%2E%2F) to the static file routes of the SillyTavern server and observing the HTTP response codes.

A proof-of-concept curl command can be used to test for the vulnerability by requesting a path with traversal sequences and checking the HTTP status code to infer file existence.

• curl -i "http://<target-server>/<static-file-route>/%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc/passwd"

If the response status is 403 Forbidden, it indicates the file exists but access is denied; if 404 Not Found, the file does not exist. This difference in response codes reveals the presence of files on the server.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade SillyTavern to version 1.17.0 or later, where the vulnerability has been fixed by implementing proper boundary checks to prevent path traversal and unauthorized file existence disclosure.

Until the upgrade can be performed, restrict access to the affected static file routes to trusted users or networks to reduce the risk of exploitation.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to determine the existence of arbitrary files on the server's filesystem through a path traversal flaw, leading to information disclosure.

While the vulnerability does not allow reading file contents, the ability to confirm the presence of files could potentially expose sensitive information about the server environment or data storage structure.

Such information disclosure could impact compliance with standards like GDPR or HIPAA if it aids attackers in identifying sensitive files or data locations, thereby increasing the risk of further exploitation or data breaches.

However, since the vulnerability does not directly expose file contents or personal data, its impact on compliance is indirect and limited to increased risk rather than direct violation.

Useful 0 Not Useful 0