Description
SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause — a redundant url.PathUnescape() call in serveExport(). An authenticated attacker can use double URL encoding (%252e%252e) to traverse directories and read arbitrary workspace files including the full SQLite database (siyuan.db), kernel log, and all user documents. This vulnerability is fixed in 3.6.5.
Published: 2026-04-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Immediate Patch
AI Analysis

Impact

SiYuan, an open-source personal knowledge management system, contains a path traversal flaw that allows an authenticated attacker to read arbitrary files within the workspace. The bug is triggered by double URL encoding (e.g., %252e%252e) on the `/export/` endpoint, which bypasses a denylist check added in a prior fix but fails to remove an unnecessary url.PathUnescape() call. With this vulnerability an attacker can access sensitive files such as the SQLite database, kernel logs, and user documents.

Affected Systems

All Siyuan Note installations running a version earlier than 3.6.5 are affected. The vulnerability exists before the 3.6.5 release and has been fixed in that version.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity, whereas the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack requires authentication; the likely vector is a remote or local attacker who has legitimate access to the application and can utilize the export feature to exploit the path traversal.

Generated by OpenCVE AI on April 28, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 3.6.5 or later, which removes the redundant url.PathUnescape() call and properly validates paths.
  • Disable the /export/ endpoint or restrict it to administrators if the feature is not required for all users.
  • Ensure that the workspace database (siyuan.db) and log files have appropriate filesystem permissions to prevent unintended exposure by non‑authorized processes.

Generated by OpenCVE AI on April 28, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hjh7-r5w8-5872 SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869)
History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause — a redundant url.PathUnescape() call in serveExport(). An authenticated attacker can use double URL encoding (%252e%252e) to traverse directories and read arbitrary workspace files including the full SQLite database (siyuan.db), kernel log, and all user documents. This vulnerability is fixed in 3.6.5.
Title SiYuan: Incomplete Fix Bypass for CVE-2026-30869: Path Traversal via Double URL Encoding in `/export/` Endpoint
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T13:43:17.050Z

Reserved: 2026-04-22T15:11:54.671Z

Link: CVE-2026-41894

cve-icon Vulnrichment

Updated: 2026-04-27T13:42:56.193Z

cve-icon NVD

Status : Deferred

Published: 2026-04-24T19:17:14.360

Modified: 2026-04-27T18:53:00.053

Link: CVE-2026-41894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:00:09Z

Weaknesses