text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.1.1, users can save extention settings in "py" format and in…

CVE-2026-35050 affects text-generation-webui, an open-source web interface for running Large Language Models. Prior to version 4.1.1, users could save extension settings in Python format within the app root directory, enabling attackers to overwrite critical Python files like download-model.py. This arbitrary file overwrite vulnerability could lead to code execution when the overwritten files are triggered through the Model menu during model downloads. The vulnerability has been patched in version 4.1.1.