SillyTavern has a reflected XSS vulnerability in the CORS proxy middleware

CVE-2026-44651 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Resolution

Fixed in SillyTavern 1.18.0: a user-provided URL is no longer reflected in the HTTP response body.

Overview

  • Vulnerability Type: XSS
  • Affected Location: src/middleware/corsProxy.js:40
  • Trigger Scenario: reflected XSS in CORS proxy error response

Root Cause

When fetch(url) throws, the code sends:
res.status(500).send('Error occurred while trying to proxy to: ' + url + ' ' + error).
The url value is attacker-controlled (req.params.url) and is not HTML-escaped before rendering.

Source-to-Sink Chain

  1. Source (user-controlled input)
    - Entry point: GET /proxy/:url(*)

  2. Data flow
    - Code analysis shows concrete propagation into this sink:
    - vulnerability title: Reflected XSS in CORS proxy error response
    - sink location reached by attacker-controlled input: src/middleware/corsProxy.js:40
    - The same sink behavior is confirmed by controlled execution observations.

  3. Sink (dangerous operation)
    - Sink location: src/middleware/corsProxy.js:40
    - Vulnerable behavior: reflected XSS in CORS proxy error response

Exploitation Preconditions

  1. The attacker can inject controllable content into a rendered response.
  2. The vulnerable rendering context does not apply strict output encoding/sanitization.
  3. A victim user opens the affected page or response.

Risk

This issue enables script execution in the victim context and can compromise session or data integrity.

Impact

An attacker may run arbitrary JavaScript in the victim context, steal tokens, and manipulate user-visible behavior.

Remediation

  1. Never concatenate raw user input into HTML error responses.
  2. If URL echo is required, HTML-escape it or force plain-text output.
  3. Re-enable/strengthen CSP to reduce reflected injection impact.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-12 22:23:56 UTC
Updated
2026-06-09 10:32:15 UTC
GitHub reviewed
2026-05-12 22:23:56 UTC
NVD published
2026-05-29

EPSS Score

Score Percentile
0.06% 19.54%

CVSS Scores

Base score Version Severity Vector
6.9 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:L)
Limited confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L)
Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

Type Value
GHSA GHSA-xc4x-2452-5gc9 ↗
CVE CVE-2026-44651 ↗

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits

  • FORIMOC (finder)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm sillytavern <= 1.17.0 1.18.0

References

cvelogic Threat Intelligence