CVE-2026-44650: SillyTavern: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, POST /api/extensions/delete endpoint accepts extensionName: "." which bypasses sanitize-filename validation, causing the entire user extensions directory to be recursively deleted. No authentication is required in the default configuration. This vulnerability is fixed in 1.18.0.
HarborGuard Analysis
HarborGuard analysisSynopsis
This is a path traversal flaw in SillyTavern, a local web UI for interacting with text and image generation models. The POST /api/extensions/delete endpoint accepts an extensionName value of "." which slips past sanitize-filename and triggers recursive deletion of the entire user extensions directory; the request needs no authentication in the default configuration and is reachable over the network. Successful exploitation lets a remote attacker wipe all installed extensions and their data, and a patched-image rebuild at 1.18.0 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment, with CVE-2026-44650 ingested from upstream feeds within minutes of publication and matched against SillyTavern images in customer registries and CI pipelines. Coverage extends to custom-built images that bundle SillyTavern below 1.18.0.
AvailableTriage is available with the published CVSS 3.1 score of 9.1 (Critical) weighted against each customer's compliance policy, so environments that treat unauthenticated network-reachable destructive bugs as release blockers see it surface accordingly. Findings route to the security inbox configured inside each customer org.
AvailableA patched-image rebuild at SillyTavern 1.18.0 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, the rebuild runs through the regression suite and a PR is opened against affected workloads automatically.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the SillyTavern HTTP API over the network (AV:N).
- AuthenticationNot required
PR:N and the advisory confirm the default configuration exposes the delete endpoint without any credentials.
- Victim interactionNot required
UI:N: the attacker sends the POST request directly with no user action involved.
- Attack complexityDetail
AC:L: sending a single crafted JSON body with extensionName set to "." reliably triggers the deletion.
Blast Radius
- Recursively deletes the entire user extensions directory, removing every installed SillyTavern extension and its on-disk state.
- Destroys integrity of the extensions tree, so configured model integrations, custom UI extensions, and any data stored under that directory are lost.
- Disrupts availability of features that depend on those extensions until they are reinstalled and reconfigured.
How HarborGuard Handles This
Available on HarborGuard: a patched-image rebuild at SillyTavern 1.18.0 for any environment currently running an affected version, with the rebuild gated on each customer's auto-remediation and compliance policy. For environments that opt in, the typical flow is rebuild, regression run, and a PR opened against affected workloads, with median time from CVE publication to a merged patch PR for critical-severity issues around 90 minutes. Environments that cannot upgrade immediately should restrict network reachability to the SillyTavern API (bind to localhost, place it behind an authenticated reverse proxy, or apply a network policy that blocks untrusted callers) until the 1.18.0 image is rolled out.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
- SillyTavern / SillyTavern< 1.18.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H