CVE-2026-35484
EUVD-2026-1966707.04.2026, 15:17
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_preset() allows reading any .yaml file on the server filesystem. The parsed YAML key-value pairs (including passwords, API keys, connection strings) are returned in the API response. This vulnerability is fixed in 4.3.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| oobabooga | textgen | 𝑥 < 4.3 |
𝑥
= Vulnerable software versions