How is CVE-2026-46372 exploited?

Network reachability (required): Attacker must reach the SillyTavern HTTP service over the network (AV:N), typically the locally exposed UI port. Authentication (required): A low-privilege authenticated account on the SillyTavern instance is required (PR:L). Victim interaction (not-required): No user action is needed; the attacker calls the /api/search/searxng endpoint directly (UI:N). Attack complexity (info): Attack complexity is low (AC:L); the baseUrl parameter is honored without validation, so exploitation is reliable and condition-free.

What is the impact of CVE-2026-46372?

Reads response bodies from internal or loopback HTTP services that the SillyTavern host can reach, including metadata endpoints, admin consoles, and other intranet services. Enables internal network reconnaissance by probing arbitrary hosts and ports through the vulnerable proxy. Allows limited tampering of search results returned to the SillyTavern UI by pointing baseUrl at attacker-controlled infrastructure (I:L).

Back to search

HIGHCVE-2026-46372Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-46372: SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it directly to build outbound server-side fetches. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the /search response body. This vulnerability is fixed in 1.18.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Server-side request forgery (SSRF) in SillyTavern's SearXNG search proxy. The /api/search/searxng endpoint accepts an attacker-controlled baseUrl and uses it directly for outbound server-side fetches, reachable over the network by any authenticated low-privilege user without victim interaction. Successful exploitation lets an attacker probe internal or loopback HTTP services and read their /search response bodies, exposing internal application data and metadata. A patched-image rebuild at 1.18.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE record is ingested from upstream feeds within minutes of publication and matched against SillyTavern images in customer registries and CI pipelines, including custom-built images derived from the upstream project.

Available

Triage

Triage scoring is available using the published CVSS v3.1 score of 8.5 (High), reweighted against each customer's compliance policy (exposure of the SillyTavern service, presence of sensitive internal HTTP endpoints, multi-tenant posture) and routed to the appropriate inbox inside the customer org.

Available

Patch

A patched-image rebuild at SillyTavern 1.18.0 is available on HarborGuard for environments running an affected version. Customers with auto-remediation enabled get the rebuilt image, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
Attacker must reach the SillyTavern HTTP service over the network (AV:N), typically the locally exposed UI port.
AuthenticationRequired
A low-privilege authenticated account on the SillyTavern instance is required (PR:L).
Victim interactionNot required
No user action is needed; the attacker calls the /api/search/searxng endpoint directly (UI:N).
Attack complexityDetail
Attack complexity is low (AC:L); the baseUrl parameter is honored without validation, so exploitation is reliable and condition-free.

Blast Radius

Reads response bodies from internal or loopback HTTP services that the SillyTavern host can reach, including metadata endpoints, admin consoles, and other intranet services.
Enables internal network reconnaissance by probing arbitrary hosts and ports through the vulnerable proxy.
Allows limited tampering of search results returned to the SillyTavern UI by pointing baseUrl at attacker-controlled infrastructure (I:L).

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at SillyTavern 1.18.0 for any environment running an affected version. For customers with auto-remediation enabled, the rebuild is generated, a regression suite is run, and a PR is opened against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where compliance policy gates auto-remediation, the rebuilt image is staged for manual approval, and compensating controls (restricting SillyTavern accounts to trusted users, blocking egress from the SillyTavern container to internal management networks and cloud metadata endpoints, and fronting the /api/search/searxng route with an allowlist proxy) can be applied until the upgrade lands.

See how HarborGuard automates this

CVSS v3.1: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

SillyTavern / SillyTavern
< 1.18.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

References

https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-qg89-qwwh-5f3j