CVE-2026-44650
Path Traversal in SillyTavern Allows Directory Deletion
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sillytavern | sillytavern | to 1.18.0 (exc) |
| sillytavern | sillytavern | 1.18.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can lead to the permanent loss of all installed third-party extensions by recursively deleting the entire user extensions directory.
If global settings are enabled, it can also cause deletion of the global extensions directory.
The impact affects the integrity and availability of the application, potentially disrupting its normal operation.
Can you explain this vulnerability to me?
CVE-2026-44650 is a critical path traversal vulnerability in the SillyTavern application affecting versions 1.17.0 and earlier.
The flaw exists in multiple API endpoints, including /api/extensions/delete, where the application validates the extensionName parameter before sanitizing it.
An attacker can bypass security checks by sending a dot (.) as the input, which the sanitize-filename library converts to an empty string.
This causes the path.join function to resolve to the base directory itself, resulting in the deletion of the entire user extensions directory recursively.
No authentication is required in the default configuration, making it exploitable by any user with network access to the SillyTavern instance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the `/api/extensions/delete` endpoint with the `extensionName` parameter set to a dot ("."). Such requests bypass filename sanitization and may trigger recursive deletion of the extensions directory.
To detect exploitation attempts on your system or network, you can use network monitoring tools or web server logs to search for POST requests targeting `/api/extensions/delete` with payloads containing `extensionName=.`.
Example commands to detect such attempts include:
- Using grep on web server logs: `grep -i 'POST /api/extensions/delete' /var/log/nginx/access.log | grep 'extensionName=.'`
- Using tcpdump to capture HTTP POST requests to the vulnerable endpoint: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/api/extensions/delete'`
- Using curl or similar tools to test if the endpoint is vulnerable by sending a crafted POST request with `extensionName=.` and observing if the extensions directory is affected.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade SillyTavern to version 1.18.0 or later, where this vulnerability is fixed.
If upgrading immediately is not possible, restrict network access to the SillyTavern instance to trusted users only, as the vulnerability requires no authentication in default configuration.
Additionally, monitor and block any POST requests to `/api/extensions/delete` with suspicious `extensionName` parameters such as a single dot (".").
Consider implementing additional access controls or firewall rules to prevent unauthorized access to the vulnerable API endpoints.