CVE-2026-40318

SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`

CVSS 8.5 HIGHEPSS 0.3%CWE-24

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.5EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

16 abr 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

Productos afectados

siyuan-note · siyuan

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vw86-c94w-v3x4