Skip to main content

SiYuan EUVDEUVD-2026-39122

| CVE-2026-54066 HIGH
Path Traversal (CWE-22)
2026-06-24 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated single-request file read over the network (AV:N/AC:L/PR:N/UI:N) on the publish endpoint, leaking sensitive secrets (C:H) with no write or availability impact (I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 23:03 EUVD
Analysis Generated
Jun 24, 2026 - 22:16 vuln.today

DescriptionCVE.org

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding") sanitized the /export/ route but the identical root cause remains in the /assets/*path route. In publish mode (anonymous read-only HTTP endpoint, default port 6808), an unauthenticated remote attacker can read arbitrary files inside WorkspaceDir - including conf/conf.json (which contains the AccessAuthCode SHA256 hash, API token, and sync keys), temp/siyuan.db, temp/blocktree.db, and siyuan.log - by double-URL-encoding .. segments. This vulnerability is fixed in 3.7.0.

AnalysisAI

Arbitrary file disclosure in SiYuan personal knowledge management system before 3.7.0 lets an unauthenticated remote attacker read any file inside the workspace directory through its publish-mode HTTP endpoint (default port 6808). The flaw is an incomplete fix for CVE-2026-41894: the earlier patch sanitized the /export/ route but left the identical double-URL-encoding path traversal in the /assets/*path route, exposing conf/conf.json (AccessAuthCode SHA256 hash, API token, sync keys), the temp SQLite databases, and siyuan.log. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed SiYuan publish endpoint (port 6808)
Delivery
Craft double-URL-encoded ../ request to /assets/
Exploit
Bypass path normalization in assets route
Execution
Read conf/conf.json and temp databases
Persist
Harvest AccessAuthCode hash, API token, sync keys
Impact
Reuse credentials for deeper access

Vulnerability AssessmentAI

Exploitation Exploitation requires the target SiYuan instance to be running in publish mode - the anonymous read-only HTTP endpoint served by default on port 6808 - and that port to be reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) accurately reflects a network-reachable, low-complexity, unauthenticated read of high-value data with no integrity or availability impact - consistent with the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-exposed SiYuan instance running in publish mode on port 6808 and issues a single crafted HTTP GET to the /assets/ route with double-URL-encoded '..' segments to traverse out of the assets directory. They retrieve conf/conf.json to harvest the AccessAuthCode SHA256 hash, API token, and sync keys, then use those credentials and the leaked databases to escalate access. …
Remediation Vendor-released patch: upgrade SiYuan to version 3.7.0 or later, which fixes the double-URL-encoding path traversal in the /assets/*path route; see the advisory at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-p4m3-mgmm-c664. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all SiYuan deployments pre-3.7.0 with publish-mode enabled on port 6808; immediately restrict network access to that port via firewall or disable the endpoint if not required operationally. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Siyuan

View all
CVE-2026-23852 CRITICAL POC
9.6 Jan 19

SiYuan personal knowledge management system prior to 3.5.4 has a stored XSS vulnerability (CVSS 9.6) that allows code ex

CVE-2026-54069 CRITICAL POC
9.2 Jun 24

Origin-validation bypass in SiYuan Note (open-source personal knowledge management) before 3.7.0 lets any installed Chro

CVE-2026-29183 CRITICAL POC
9.3 Mar 06

Reflected XSS in SiYuan knowledge management before 3.5.9.

CVE-2026-25539 CRITICAL POC
9.1 Feb 04

SiYuan knowledge management system prior to 3.5.5 has a path traversal in /api/file/copyFile allowing arbitrary file ope

CVE-2026-29073 HIGH POC
8.8 Mar 06

SQL injection in SiYuan prior to version 3.6.0 allows any authenticated user, including those with read-only access, to

CVE-2026-34605 HIGH POC
8.6 Mar 31

Cross-site scripting (XSS) in SiYuan personal knowledge management system versions 3.6.0-3.6.1 allows remote attackers t

CVE-2026-23850 HIGH POC
7.8 Jan 19

Remote attackers can read arbitrary files from SiYuan servers (versions prior to 3.5.4) by exploiting server-side HTML r

CVE-2026-25992 HIGH POC
7.5 Feb 10

Unauthenticated attackers can read sensitive configuration files from SiYuan knowledge management systems prior to versi

CVE-2026-34453 HIGH POC
7.5 Mar 31

Unauthenticated information disclosure in SiYuan personal knowledge management system versions before 3.6.2 allows remot

CVE-2026-23851 MEDIUM POC
6.5 Jan 19

SiYuan knowledge management system versions before 3.5.4 allow authenticated users to copy arbitrary files from the serv

CVE-2026-23847 MEDIUM POC
6.1 Jan 19

Reflected XSS in SiYuan's /api/icon/getDynamicIcon endpoint allows attackers to inject malicious JavaScript through unes

CVE-2026-31809 MEDIUM POC
6.1 Mar 10

SiYuan's SVG sanitizer fails to properly filter malicious href attributes when whitespace characters are inserted into j

Share

EUVD-2026-39122 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy