CVE-2026-35483
EUVD-2026-1966507.04.2026, 15:17
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_template() allows reading files with .jinja, .jinja2, .yaml, or .yml extensions from anywhere on the server filesystem. For .jinja files the content is returned verbatim; for .yaml files a parsed key is extracted. This vulnerability is fixed in 4.3.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| oobabooga | textgen | 𝑥 < 4.3 |
𝑥
= Vulnerable software versions