Skip to main content

SiYuan EUVDEUVD-2026-25626

| CVE-2026-41894 HIGH
Path Traversal (CWE-22)
2026-04-24 GitHub_M GHSA-hjh7-r5w8-5872
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Patch released
Apr 27, 2026 - 18:53 nvd
Patch available
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
Patch available
Apr 24, 2026 - 21:02 EUVD
Analysis Generated
Apr 24, 2026 - 19:46 vuln.today
CVSS changed
Apr 24, 2026 - 19:22 NVD
7.1 (HIGH)
EUVD ID Assigned
Apr 24, 2026 - 19:15 euvd
EUVD-2026-25626
Analysis Generated
Apr 24, 2026 - 19:15 vuln.today
CVE Published
Apr 24, 2026 - 18:56 nvd
HIGH 7.1

DescriptionGitHub Advisory

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause - a redundant url.PathUnescape() call in serveExport(). An authenticated attacker can use double URL encoding (%252e%252e) to traverse directories and read arbitrary workspace files including the full SQLite database (siyuan.db), kernel log, and all user documents. This vulnerability is fixed in 3.6.5.

AnalysisAI

Directory traversal in SiYuan personal knowledge management system allows authenticated attackers to read arbitrary workspace files via double URL encoding bypass. The vulnerability stems from an incomplete fix for CVE-2026-30869 that added only denylist validation without removing a redundant url.PathUnescape() call in serveExport(). Attackers can use %252e%252e encoding to access sensitive files including the complete SQLite database (siyuan.db), kernel logs, and all user documents. EPSS data not available for this recent CVE; publicly available exploit code exists (GitHub commit demonstrates exploitation technique).

Technical ContextAI

The vulnerability affects SiYuan (CPE: cpe:2.3:a:siyuan-note:siyuan), an open-source personal knowledge management system built in Go. This is a CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) path traversal issue caused by redundant URL decoding. The serveExport() function calls url.PathUnescape() on already-decoded input, creating a double-decode condition. When a client sends %252e (which is % followed by 25 and 2e), the first decode (by HTTP server/router) converts it to %2e, then the redundant PathUnescape() converts %2e to a literal dot. This allows sequences like %252e%252e%252f to bypass the IsSensitivePath denylist check (which occurs before the second decode) and resolve to ../ enabling directory traversal. The previous CVE-2026-30869 fix attempted to block traversal with path validation but failed to address the root cause double-decoding issue.

RemediationAI

Upgrade to SiYuan version 3.6.5 or later immediately, available at https://github.com/siyuan-note/siyuan/releases/tag/v3.6.5. The fix (commit bb481e1290c4a34255652ede85a546504505d2a7) removes the redundant url.PathUnescape() call from serveExport(), eliminating the double-decode condition. If immediate patching is not feasible, implement network-level access controls to restrict SiYuan instances to trusted users only and monitor export endpoint access logs for unusual encoded character sequences (%25). Disable the export functionality entirely if not business-critical by blocking HTTP routes to /export/* endpoints via reverse proxy rules, though this eliminates legitimate export features. Review authentication logs for suspicious account activity and rotate credentials for accounts with access to sensitive workspaces. These workarounds reduce but do not eliminate risk; patching remains the definitive solution.

More in Siyuan

View all
CVE-2024-53507 CRITICAL POC
9.8 Nov 29

A SQL injection vulnerability was discovered in Siyuan 3.1.11 in /getHistoryItems. Rated critical severity (CVSS 9.8), t

CVE-2024-53506 CRITICAL POC
9.8 Nov 29

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /batchGetBlockAttrs. R

CVE-2024-53505 CRITICAL POC
9.8 Nov 29

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the id parameter at /getAssetContent. Rated criti

CVE-2024-53504 CRITICAL POC
9.8 Nov 29

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /searchHistory. Rated c

CVE-2026-23852 CRITICAL POC
9.6 Jan 19

SiYuan personal knowledge management system prior to 3.5.4 has a stored XSS vulnerability (CVSS 9.6) that allows code ex

CVE-2026-54069 CRITICAL POC
9.2 Jun 24

Origin-validation bypass in SiYuan Note (open-source personal knowledge management) before 3.7.0 lets any installed Chro

CVE-2026-29183 CRITICAL POC
9.3 Mar 06

Reflected XSS in SiYuan knowledge management before 3.5.9.

CVE-2026-25539 CRITICAL POC
9.1 Feb 04

SiYuan knowledge management system prior to 3.5.5 has a path traversal in /api/file/copyFile allowing arbitrary file ope

CVE-2024-2692 CRITICAL POC
9.0 Apr 04

SiYuan version 3.0.3 allows executing arbitrary commands on the server. Rated critical severity (CVSS 9.0), this vulnera

CVE-2026-29073 HIGH POC
8.8 Mar 06

SQL injection in SiYuan prior to version 3.6.0 allows any authenticated user, including those with read-only access, to

CVE-2026-34605 HIGH POC
8.6 Mar 31

Cross-site scripting (XSS) in SiYuan personal knowledge management system versions 3.6.0-3.6.1 allows remote attackers t

CVE-2026-54066 HIGH POC
7.5 Jun 24

Arbitrary file disclosure in SiYuan personal knowledge management system before 3.7.0 lets an unauthenticated remote att

Share

EUVD-2026-25626 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy