theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2026-35050

Published April 6, 2026 · Updated April 7, 2026

9.1CVSS
critical

What This Means

CVE-2026-35050 is a critical vulnerability with a CVSS score of 9.1 found in text-generation-webui prior to version 4.1.1. The issue allows an attacker to overwrite Python files, such as "download-model.py," by saving extension settings in an insecure manner within the application's root directory. This could lead to arbitrary code execution when the compromised file is triggered from the Model menu. Users should upgrade to version 4.1.1 or later to mitigate this risk.

Official Description+

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.1.1, users can save extention settings in "py" format and in the app root directory. This allows to overwrite python files, for instance the "download-model.py" file could be overwritten. Then, this python file can be triggered to get executed from "Model" menu when requesting to download a new model. This vulnerability is fixed in 4.1.1.

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. Monitor vendor advisories for updates and additional mitigations.
  4. Review logs for indicators of compromise related to CVE-2026-35050.