← Back to feed
Security patch:
[HIGH] GHSA-qg89-qwwh-5f3j: SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
GitHub Security Advisory·Security·SecurityFix·5/19/2026
## Resolution SillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting). Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
sillytavern
View original source ↗Source payload preview
{
"ghsaId": "GHSA-qg89-qwwh-5f3j",
"summary": "SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl",
"severity": "HIGH",
"updatedAt": "2026-05-19T20:09:52Z",
"references": [
{
"url": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-qg89-qwwh-5f3j"
},
{
"url": "https://github.com/advisories/GHSA-qg89-qwwh-5f3j"
}
],
"description": "## Resolution\n\nSillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting). Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance is being hosted over a network, as suggested by a console warning message and an officia
…