CVE-2026-33194

MEDIUM

SiYuan <3.6.2 IsSensitivePath - Arbitrary File Read

Title source: manual

Description

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the `IsSensitivePath()` function in `kernel/util/path.go` uses a denylist approach that was recently expanded (GHSA-h5vh-m7fg-w5h6, commit 9914fd1) but remains incomplete. Multiple security-relevant Linux directories are not blocked, including `/opt` (application data), `/usr` (local configs/binaries), `/home` (other users), `/mnt` and `/media` (mounted volumes). The `globalCopyFiles` and `importStdMd` endpoints rely on `IsSensitivePath` as their primary defense against reading files outside the workspace. Version 3.6.2 contains an updated fix.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vm69-h85x-8p85

Scores

CVSS v3 6.8

EPSS 0.0049

EPSS Percentile 38.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (3)

b3log/siyuan < 3.6.2

siyuan-note/siyuan 0 - 3.6.2Go

siyuan-note/siyuan < 3.6.2

Published Mar 20, 2026

Tracked Since Mar 21, 2026