CVE-2025-21609

CRITICAL

SiYuan Note <3.1.18 - File Deletion

Title source: llm

Description

SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.

References (2)

[Exploit, Vendor Advisory] https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8fx8-pffw-w498

[Patch] https://github.com/siyuan-note/siyuan/commit/d9887aeec1b27073bec66299a9a4181dc42969f3

View Patch ZIP pw:eip

Scores

CVSS v3 9.1

EPSS 0.0037

EPSS Percentile 58.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-552 CWE-459

Status published

Products (2)

b3log/siyuan 3.1.18

siyuan-note/siyuan 0Go

Published Jan 03, 2025

Tracked Since Feb 18, 2026