Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionGitHub Advisory
SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause - a redundant url.PathUnescape() call in serveExport(). An authenticated attacker can use double URL encoding (%252e%252e) to traverse directories and read arbitrary workspace files including the full SQLite database (siyuan.db), kernel log, and all user documents. This vulnerability is fixed in 3.6.5.
AnalysisAI
Directory traversal in SiYuan personal knowledge management system allows authenticated attackers to read arbitrary workspace files via double URL encoding bypass. The vulnerability stems from an incomplete fix for CVE-2026-30869 that added only denylist validation without removing a redundant url.PathUnescape() call in serveExport(). Attackers can use %252e%252e encoding to access sensitive files including the complete SQLite database (siyuan.db), kernel logs, and all user documents. EPSS data not available for this recent CVE; publicly available exploit code exists (GitHub commit demonstrates exploitation technique).
Technical ContextAI
The vulnerability affects SiYuan (CPE: cpe:2.3:a:siyuan-note:siyuan), an open-source personal knowledge management system built in Go. This is a CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) path traversal issue caused by redundant URL decoding. The serveExport() function calls url.PathUnescape() on already-decoded input, creating a double-decode condition. When a client sends %252e (which is % followed by 25 and 2e), the first decode (by HTTP server/router) converts it to %2e, then the redundant PathUnescape() converts %2e to a literal dot. This allows sequences like %252e%252e%252f to bypass the IsSensitivePath denylist check (which occurs before the second decode) and resolve to ../ enabling directory traversal. The previous CVE-2026-30869 fix attempted to block traversal with path validation but failed to address the root cause double-decoding issue.
RemediationAI
Upgrade to SiYuan version 3.6.5 or later immediately, available at https://github.com/siyuan-note/siyuan/releases/tag/v3.6.5. The fix (commit bb481e1290c4a34255652ede85a546504505d2a7) removes the redundant url.PathUnescape() call from serveExport(), eliminating the double-decode condition. If immediate patching is not feasible, implement network-level access controls to restrict SiYuan instances to trusted users only and monitor export endpoint access logs for unusual encoded character sequences (%25). Disable the export functionality entirely if not business-critical by blocking HTTP routes to /export/* endpoints via reverse proxy rules, though this eliminates legitimate export features. Review authentication logs for suspicious account activity and rotate credentials for accounts with access to sensitive workspaces. These workarounds reduce but do not eliminate risk; patching remains the definitive solution.
A SQL injection vulnerability was discovered in Siyuan 3.1.11 in /getHistoryItems. Rated critical severity (CVSS 9.8), t
A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /batchGetBlockAttrs. R
A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the id parameter at /getAssetContent. Rated criti
A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /searchHistory. Rated c
SiYuan personal knowledge management system prior to 3.5.4 has a stored XSS vulnerability (CVSS 9.6) that allows code ex
Origin-validation bypass in SiYuan Note (open-source personal knowledge management) before 3.7.0 lets any installed Chro
Reflected XSS in SiYuan knowledge management before 3.5.9.
SiYuan knowledge management system prior to 3.5.5 has a path traversal in /api/file/copyFile allowing arbitrary file ope
SiYuan version 3.0.3 allows executing arbitrary commands on the server. Rated critical severity (CVSS 9.0), this vulnera
SQL injection in SiYuan prior to version 3.6.0 allows any authenticated user, including those with read-only access, to
Cross-site scripting (XSS) in SiYuan personal knowledge management system versions 3.6.0-3.6.1 allows remote attackers t
Arbitrary file disclosure in SiYuan personal knowledge management system before 3.7.0 lets an unauthenticated remote att
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25626
GHSA-hjh7-r5w8-5872