SCA: security update for sillytavern (GHSA-wmm3-h9qj-p5v6)

high Tenable Self-Hosted Container Security Plugin ID 441788

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- SillyTavern is a locally installed user interface that allows users to interact with text generation large
language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern
relies on cookie-session for authentication, storing all session data (user handle, permissions) in a
signed cookie. The endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update
the password hash in the database but do not expire current sessions. Because the session is stateless and
stored entirely in the client cookie, there is no server-side mechanism to revoke a token once issued.
This vulnerability is fixed in 1.18.0. (CVE-2026-44648)

Solution

Update the sillytavern library and its related packages to version 1.18.0 or later.

See Also

https://github.com/advisories/GHSA-wmm3-h9qj-p5v6

Plugin Details

Severity: High

ID: 441788

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 5/13/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.86

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-44648

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/12/2026

Vulnerability Publication Date: 5/12/2026

Reference Information

CVE: CVE-2026-44648

cwe: CWE-613