Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/sillytavern@1.18.0
Typenpm
Namespace
Namesillytavern
Version1.18.0
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-19pk-pc1p-6yej
vulnerability_id VCID-19pk-pc1p-6yej
summary SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when sso.autheliaAuth: true or sso.authentikAuth: true is set in config.yaml (both default to false). This vulnerability is fixed in 1.18.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44649
reference_id
reference_type
scores
0
value 0.00088
scoring_system epss
scoring_elements 0.25085
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44649
1
reference_url https://github.com/SillyTavern/SillyTavern
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/SillyTavern/SillyTavern
2
reference_url https://github.com/SillyTavern/SillyTavern/releases/tag/1.18.0
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/SillyTavern/SillyTavern/releases/tag/1.18.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44649
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44649
4
reference_url https://github.com/advisories/GHSA-gxx6-h3g6-vwjh
reference_id GHSA-gxx6-h3g6-vwjh
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gxx6-h3g6-vwjh
5
reference_url https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-gxx6-h3g6-vwjh
reference_id GHSA-gxx6-h3g6-vwjh
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-02T01:48:09Z/
url https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-gxx6-h3g6-vwjh
fixed_packages
0
url pkg:npm/sillytavern@1.18.0
purl pkg:npm/sillytavern@1.18.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/sillytavern@1.18.0
aliases CVE-2026-44649, GHSA-gxx6-h3g6-vwjh
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-19pk-pc1p-6yej
1
url VCID-r4a6-dvbb-13fz
vulnerability_id VCID-r4a6-dvbb-13fz
summary SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, POST /api/extensions/delete endpoint accepts extensionName: "." which bypasses sanitize-filename validation, causing the entire user extensions directory to be recursively deleted. No authentication is required in the default configuration. This vulnerability is fixed in 1.18.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44650
reference_id
reference_type
scores
0
value 0.00096
scoring_system epss
scoring_elements 0.26488
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44650
1
reference_url https://github.com/SillyTavern/SillyTavern
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/SillyTavern/SillyTavern
2
reference_url https://github.com/SillyTavern/SillyTavern/releases/tag/1.18.0
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/SillyTavern/SillyTavern/releases/tag/1.18.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44650
reference_id CVE-2026-44650
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-44650
4
reference_url https://github.com/advisories/GHSA-886q-f44j-h6wh
reference_id GHSA-886q-f44j-h6wh
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-886q-f44j-h6wh
5
reference_url https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-886q-f44j-h6wh
reference_id GHSA-886q-f44j-h6wh
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T19:13:38Z/
url https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-886q-f44j-h6wh
fixed_packages
0
url pkg:npm/sillytavern@1.18.0
purl pkg:npm/sillytavern@1.18.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/sillytavern@1.18.0
aliases CVE-2026-44650, GHSA-886q-f44j-h6wh
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r4a6-dvbb-13fz
2
url VCID-r5cw-d7g3-j7cr
vulnerability_id VCID-r5cw-d7g3-j7cr
summary SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session data (user handle, permissions) in a signed cookie. The endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update the password hash in the database but do not expire current sessions. Because the session is stateless and stored entirely in the client cookie, there is no server-side mechanism to revoke a token once issued. This vulnerability is fixed in 1.18.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44648
reference_id
reference_type
scores
0
value 0.00017
scoring_system epss
scoring_elements 0.04587
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44648
1
reference_url https://github.com/SillyTavern/SillyTavern
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/SillyTavern/SillyTavern
2
reference_url https://github.com/SillyTavern/SillyTavern/releases/tag/1.18.0
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/SillyTavern/SillyTavern/releases/tag/1.18.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44648
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44648
4
reference_url https://github.com/advisories/GHSA-wmm3-h9qj-p5v6
reference_id GHSA-wmm3-h9qj-p5v6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wmm3-h9qj-p5v6
5
reference_url https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-wmm3-h9qj-p5v6
reference_id GHSA-wmm3-h9qj-p5v6
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-29T19:46:35Z/
url https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-wmm3-h9qj-p5v6
fixed_packages
0
url pkg:npm/sillytavern@1.18.0
purl pkg:npm/sillytavern@1.18.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/sillytavern@1.18.0
aliases CVE-2026-44648, GHSA-wmm3-h9qj-p5v6
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r5cw-d7g3-j7cr
3
url VCID-tytb-3a67-jka2
vulnerability_id VCID-tytb-3a67-jka2
summary 
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, when fetch(url) throws, the code sends:
res.status(500).send('Error occurred while trying to proxy to: ' + url + ' ' + error). The url value is attacker-controlled (req.params.url) and is not HTML-escaped before rendering. This vulnerability is fixed in 1.18.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44651
reference_id
reference_type
scores
0
value 0.00062
scoring_system epss
scoring_elements 0.19567
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44651
1
reference_url https://github.com/SillyTavern/SillyTavern
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/SillyTavern/SillyTavern
2
reference_url https://github.com/SillyTavern/SillyTavern/releases/tag/1.18.0
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/SillyTavern/SillyTavern/releases/tag/1.18.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44651
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44651
4
reference_url https://github.com/advisories/GHSA-xc4x-2452-5gc9
reference_id GHSA-xc4x-2452-5gc9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xc4x-2452-5gc9
5
reference_url https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-xc4x-2452-5gc9
reference_id GHSA-xc4x-2452-5gc9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-01T15:20:24Z/
url https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-xc4x-2452-5gc9
fixed_packages
0
url pkg:npm/sillytavern@1.18.0
purl pkg:npm/sillytavern@1.18.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/sillytavern@1.18.0
aliases CVE-2026-44651, GHSA-xc4x-2452-5gc9
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tytb-3a67-jka2
4
url VCID-zdfr-hr2y-yycs
vulnerability_id VCID-zdfr-hr2y-yycs
summary SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, corsProxyMiddleware forwards req.params.url directly into fetch(url, ...). It only blocks circular requests to its own host and does not enforce destination allowlist or private/loopback restrictions, enabling SSRF. This vulnerability is fixed in 1.18.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44652
reference_id
reference_type
scores
0
value 0.00017
scoring_system epss
scoring_elements 0.04541
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44652
1
reference_url https://github.com/SillyTavern/SillyTavern
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/SillyTavern/SillyTavern
2
reference_url https://github.com/SillyTavern/SillyTavern/releases/tag/1.18.0
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/SillyTavern/SillyTavern/releases/tag/1.18.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44652
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44652
4
reference_url https://github.com/advisories/GHSA-ccfq-2454-f5xw
reference_id GHSA-ccfq-2454-f5xw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ccfq-2454-f5xw
5
reference_url https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-ccfq-2454-f5xw
reference_id GHSA-ccfq-2454-f5xw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T21:40:42Z/
url https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-ccfq-2454-f5xw
fixed_packages
0
url pkg:npm/sillytavern@1.18.0
purl pkg:npm/sillytavern@1.18.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/sillytavern@1.18.0
aliases CVE-2026-44652, GHSA-ccfq-2454-f5xw
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zdfr-hr2y-yycs
5
url VCID-zyu8-bztz-pqhc
vulnerability_id VCID-zyu8-bztz-pqhc
summary SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it directly to build outbound server-side fetches. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the /search response body. This vulnerability is fixed in 1.18.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-46372
reference_id
reference_type
scores
0
value 0.02887
scoring_system epss
scoring_elements 0.86623
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-46372
1
reference_url https://github.com/SillyTavern/SillyTavern
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/SillyTavern/SillyTavern
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-46372
reference_id CVE-2026-46372
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-46372
3
reference_url https://github.com/advisories/GHSA-qg89-qwwh-5f3j
reference_id GHSA-qg89-qwwh-5f3j
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qg89-qwwh-5f3j
4
reference_url https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-qg89-qwwh-5f3j
reference_id GHSA-qg89-qwwh-5f3j
reference_type
scores
0
value 8.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T19:43:41Z/
url https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-qg89-qwwh-5f3j
fixed_packages
0
url pkg:npm/sillytavern@1.18.0
purl pkg:npm/sillytavern@1.18.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/sillytavern@1.18.0
aliases CVE-2026-46372, GHSA-qg89-qwwh-5f3j
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zyu8-bztz-pqhc
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/sillytavern@1.18.0