Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations outside the temp directory - including system paths that enable RCE. This can lead to aata destruction by overwriting workspace or application files, and for Docker containers running as root (common default), this grants full container compromise. This issue has been fixed in version 3.6.1.
Published: 2026-03-19
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write potentially leading to Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

SiYuan’s importSY and importZipMd API endpoints allow an admin to upload archives whose multipart filename is used without sanitization. This path traversal flaw permits writing files to any location under the temp directory or beyond, enabling destructive overwrite of workspace or application files and, in environments such as Docker containers running as root, the possibility of executing arbitrary code. The weakness is categorized as CWE‑22 and CWE‑73.

Affected Systems

The vulnerability affects the SiYuan personal knowledge management system, vendor SiYuan‑Note. Versions 3.6.0 and earlier are impacted; the issue was remediated in version 3.6.1.

Risk and Exploitability

The CVSS score of 7.6 reflects high severity, while the EPSS score of less than 1% indicates a relatively low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an HTTP POST request to the /api/import/importSY or /api/import/importZipMd endpoints, which would require administrative privileges to execute. In Docker deployments that run the application as root, an attacker who exploits this path traversal could gain full container compromise.

Generated by OpenCVE AI on March 23, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.6.1 or later.\n
  • If upgrading is not feasible immediately, restrict or disable the /api/import/importSY and /api/import/importZipMd endpoints to prevent unauthorized uploads.\n
  • Configure Docker containers to run the application as a non‑root user to limit the impact of any file write.\n
  • Verify file system permissions to ensure that the application cannot write to critical directories beyond its intended workspace.

Generated by OpenCVE AI on March 23, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qvvf-q994-x79v SiYuan importSY/importZipMd: path traversal via multipart filename enables arbitrary file write
History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan

Fri, 20 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Thu, 19 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations outside the temp directory - including system paths that enable RCE. This can lead to aata destruction by overwriting workspace or application files, and for Docker containers running as root (common default), this grants full container compromise. This issue has been fixed in version 3.6.1.
Title SiYuan importSY/importZipMd: Path Traversal via multipart filename enables arbitrary file write
Weaknesses CWE-22
CWE-73
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:18:05.496Z

Reserved: 2026-03-13T18:53:03.531Z

Link: CVE-2026-32749

cve-icon Vulnrichment

Updated: 2026-03-20T20:17:59.732Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:10.910

Modified: 2026-03-23T18:08:07.067

Link: CVE-2026-32749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:47Z

Weaknesses