The vulnerability arises from a path traversal flaw (CWE‑22) that is bypassed when double‑encoded traversal sequences are used against the /export endpoint of the SiYuan knowledge‑management system. This flaw allows an attacker to craft an HTTP request that retrieves arbitrary file paths and obtains the contents of any file that the server process can read. Exposure of locally stored configuration files, such as conf/conf.json, can leak API tokens, cookie signing keys and workspace authentication secrets. These credentials could grant the attacker administrative access to the SiYuan kernel API and, in certain deployment scenarios, the attacker could subsequently achieve remote code execution.

Siyuan, the personal knowledge‑management application distributed by siyuan-note, is vulnerable in all releases before version 3.5.10. The CPE library lists the product as b3log:siyuan and the CNA indicates affected vendors/products as siyuan-note:siyuan. No specific sub‑version constraints are given beyond the statement that the fix is in 3.5.10.

The CVSS score is 9.3, marking the flaw as critical. The EPSS rating of less than 1 % suggests an extremely low probability of widespread exploitation as recorded in current data, and the vulnerability has not been listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote over the network. The necessary conditions are that the attacker can reach the victim’s SiYuan instance and that it runs a version older than 3.5.10. Once executed, the attacker can read sensitive files and may leverage the extracted secrets to gain administrative privileges, potentially chaining into remote code execution depending on the deployment configuration.