CVE-2026-44650: SillyTavern has a Path Traversal issue

May 12, 2026

POST /api/extensions/delete endpoint accepts extensionName: "." which bypasses sanitize-filename validation, causing the entire user extensions directory to be recursively deleted. No authentication is required in the default configuration.

References

github.com/SillyTavern/SillyTavern/releases/tag/1.18.0
github.com/SillyTavern/SillyTavern/security/advisories/GHSA-886q-f44j-h6wh
github.com/advisories/GHSA-886q-f44j-h6wh
nvd.nist.gov/vuln/detail/CVE-2026-44650

Code Behaviors & Features

Detect and mitigate CVE-2026-44650 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →