Description
SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure. Version 3.1.16 contains a patch for the issue.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-25w9-wqfq-gwqx
Scores
CVSS v3
7.5
EPSS
0.0088
EPSS Percentile
75.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
b3log/siyuan
3.1.15
siyuan-note/siyuan
0Go
Published
Dec 12, 2024
Tracked Since
Feb 18, 2026