SillyTavern Flaw Allows Full Remote Takeover via Browser

A critical vulnerability in SillyTavern, a popular web UI for AI models, allows attackers to gain complete remote control over user instances. The flaw, identified as a DNS rebinding issue, enables a malicious website to bypass browser security policies and access the locally hosted application. By tricking a user into visiting a crafted webpage, an attacker can read private chats, install malicious extensions, and inject arbitrary HTML for phishing attacks. Developers have patched the vulnerability in version 1.13.4 by adding a host whitelist feature. However, this protection is disabled by default, requiring users to manually enable the new security setting to secure their installations.

Latest mentioned: 10-07

Earliest mentioned: 10-07

Sources

securityonline.info github.com

Also Read

Beast Ransomware Emerges as Major Cyber Threat

Beast ransomware, a sophisticated Ransomware-as-a-Service (RaaS) operation, has emerged as a significant cybersecurity threat. It employs aggressive network propagation tactics using SMB port scanning to infiltrate and encrypt systems across enterprise environments. The ransomware has targeted organizations worldwide since July 2025, affecting diverse sectors including manufacturing, healthcare, and education. It uses phishing campaigns and the Vidar Infostealer to gain initial access. The malware includes geofencing logic to exclude certain regions, suggesting connections to specific geographical areas. It utilizes the ChaCha20 algorithm for encryption and includes a hidden GUI for manual control. Organizations must prioritize preventive measures and early detection capabilities to defend against this threat.

10-29Read more →