CVE-2026-40318

HIGH

SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`

Title source: cna

Description

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.

References (2)

[X_Refsource_Confirm] https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vw86-c94w-v3x4

[X_Refsource_Misc] https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4

Scores

CVSS v3 8.5

EPSS 0.0007

EPSS Percentile 20.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-24

Status published

Products (2)

b3log/siyuan < 3.6.4

siyuan-note/siyuan < 3.6.4

Published Apr 16, 2026

Tracked Since Apr 17, 2026