CVE-2026-33476 - Vulnerability Details

- SiYuan has an Unauthenticated Arbitrary File Read via Path Traversal

Description

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.

Published: 2026-03-20

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

SiYuan, a personal knowledge management system, contains a vulnerability where an unauthenticated attacker can read arbitrary files on the server by accessing the /appearance/*filepath endpoint, which lacks proper path sanitization. The flaw, identified as a path traversal issue (CWE‑22) combined with unchecked file access (CWE‑73), allows disclosure of any files that the web server process can read, thereby compromising confidentiality of sensitive data.

Affected Systems

The affected product is Siyuan, released by Siyuan‑Note. Versions prior to 3.6.2 are impacted; these include all builds that expose the /appearance service. Upgrading to version 3.6.2 or later removes the vulnerability.

Risk and Exploitability

The CVSS score of 7.5 classifies the flaw as high severity. The EPSS score is below 1%, indicating a low likelihood of exploitation in the wild. The vulnerability is not present in the CISA KEV catalog, but because the endpoint is reachable without authentication, an attacker can exploit it from any internet-exposed location, reading files such as credentials, configuration, or user data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

siyuan-note

siyuan

affected

Version	Status	Constraints
`< 3.6.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Siyuan

84%

Version	Status	Scheme	Platform
`[0,3.6.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch by upgrading to version 3.6.2 or later.
If an upgrade is not immediately possible, block or limit network access to the /appearance/*filepath endpoint or to the entire Siyuan instance using firewall or hosting controls.
Verify that no anonymous file‑serving endpoints remain active to ensure no residual path traversal vulnerabilities.

Generated by OpenCVE AI on March 23, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-hhgj-gg9h-rjp7	Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00716.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/siyuan-note/siyuan/commit/009bb598b3beccc972aa5f1ed88b3b224326bf2a
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7

History

Tue, 24 Mar 2026 02:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		B3log B3log siyuan
CPEs		cpe:2.3:a:b3log:siyuan::::::::
Vendors & Products		B3log B3log siyuan

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Siyuan Siyuan siyuan
Vendors & Products		Siyuan Siyuan siyuan

Fri, 20 Mar 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.
Title		SiYuan has an Unauthenticated Arbitrary File Read via Path Traversal
Weaknesses		CWE-22 CWE-73
References		https://github.com/siyuan-note/siyuan/commit/009bb598b3beccc972aa5f1ed88b3b224326bf2a https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

B3log Siyuan

Siyuan Siyuan

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-20T22:34:40.051Z

Updated: 2026-03-23T21:41:45.226Z

Reserved: 2026-03-20T16:16:48.970Z

Link: CVE-2026-33476

Vulnrichment

Updated: 2026-03-23T20:53:26.415Z

NVD

Status : Modified

Published: 2026-03-20T23:16:48.137

Modified: 2026-03-23T22:16:31.057

Link: CVE-2026-33476

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:34:17Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object