Plattform
go
Komponente
github.com/siyuan-note/siyuan/kernel
Behoben in
3.6.2
0.0.1
3.6.2
CVE-2026-32749 is a Path Traversal vulnerability discovered in the Siyuan kernel, a core component of the Siyuan note-taking application. This flaw allows authenticated administrators to write files outside the intended temporary directory, potentially enabling remote code execution (RCE). The vulnerability affects versions of the Siyuan kernel up to and including 0.0.0-20260313024916-fd6526133bb3. A fix is available in version 3.6.1.
The vulnerability lies in the importSY and importZipMd functions within the kernel/api/import.go file. These functions construct file paths based on user-supplied filenames during import operations without proper sanitization. An attacker can craft a malicious filename containing path traversal sequences (e.g., ../../../../etc/passwd) to write files to arbitrary locations on the server's filesystem. This could involve overwriting critical system files, injecting malicious code, or gaining unauthorized access to sensitive data. Successful exploitation could lead to complete system compromise and data exfiltration, similar to scenarios where attackers leverage path traversal to gain persistent access.
CVE-2026-32749 was publicly disclosed on 2026-03-16. The vulnerability is not currently listed on the CISA KEV catalog, and its EPSS score is pending evaluation. While no public proof-of-concept (PoC) code has been released, the ease of exploitation due to the lack of input sanitization suggests a potential for rapid exploitation if a PoC becomes available. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Administrators of Siyuan note-taking applications are at the highest risk. Specifically, deployments where administrative users have unrestricted file upload privileges are particularly vulnerable. Shared hosting environments where multiple users share the same Siyuan instance also face increased risk, as a compromised administrator account could impact all users on the system.
• linux / server:
journalctl -u siyuan -g "importSY" -g "importZipMd"• generic web:
curl -I 'http://your-siyuan-server/api/import/importSY?file=../../../../etc/passwd' # Check for 200 OK or other unexpected responses• generic web:
Grep access logs for requests containing suspicious filenames like ../../ or ..\ in the file parameter of the /api/import/importSY or /api/import/importZipMd endpoints.
disclosure
Exploit-Status
EPSS
0.08% (24% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to Siyuan kernel version 3.6.1 or later, which contains the necessary fix. If immediate upgrading is not feasible, consider implementing temporary workarounds. These might include restricting file upload sizes, implementing strict filename validation on the server-side to prevent path traversal sequences, and configuring a Web Application Firewall (WAF) to block requests containing suspicious filenames. Monitor system logs for unusual file creation or modification activity in unexpected directories. After upgrading, verify the fix by attempting to upload a file with a malicious filename containing path traversal sequences and confirming that the file is not written to the intended location.
Actualice SiYuan a la versión 3.6.1 o superior. Esto corrige la vulnerabilidad de path traversal que permite la escritura arbitraria de archivos. Si está utilizando SiYuan en un contenedor Docker, asegúrese de actualizar la imagen del contenedor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32749 is a Path Traversal vulnerability in the Siyuan kernel allowing attackers to write files outside the intended directory, potentially leading to RCE.
You are affected if you are running Siyuan kernel versions ≤0.0.0-20260313024916-fd6526133bb3. Upgrade to 3.6.1 or later.
Upgrade to Siyuan kernel version 3.6.1 or later. Implement WAF rules and restrict file upload permissions as temporary mitigations.
Active exploitation is not currently confirmed, but the vulnerability's nature suggests a high likelihood of exploitation.
Refer to the official Siyuan security advisories on their website or GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.