Plattform
go
Komponente
github.com/siyuan-note/siyuan/kernel
Behoben in
3.6.3
0.0.1
CVE-2026-33476 describes a Path Traversal vulnerability discovered in the Siyuan Kernel, a core component of the Siyuan note-taking application. This flaw allows unauthenticated attackers to read arbitrary files accessible to the server process by manipulating the /appearance/*filepath endpoint. The vulnerability affects versions of the Siyuan Kernel prior to 3.6.2 and has been publicly disclosed on March 20, 2026. A fix is available in version 3.6.2.
The impact of this vulnerability is significant due to its unauthenticated nature and the potential for arbitrary file access. An attacker can exploit this flaw to read sensitive configuration files, database credentials, or even source code from the server's file system. This could lead to complete compromise of the Siyuan instance and potentially expose user data. While the vulnerability is limited to the /appearance/*filepath endpoint, the files accessible through this endpoint could contain highly sensitive information. The ability to read arbitrary files without authentication significantly broadens the attack surface and makes exploitation relatively straightforward.
CVE-2026-33476 was publicly disclosed on 2026-03-20. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog. Given the ease of exploitation and the unauthenticated nature of the vulnerability, it is likely to become a target for opportunistic attackers.
Organizations and individuals using Siyuan for note-taking, particularly those running self-hosted instances or deployments with less stringent security controls, are at risk. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as an attacker could potentially access data belonging to other users.
• linux / server:
journalctl -u siyuan | grep -i "path traversal"• generic web:
curl -I http://<siyuan_server>/appearance/../../../../etc/passwd• generic web:
grep -r "/appearance/" /var/log/apache2/access.logDiscovery
Disclosure
Patch
Exploit-Status
EPSS
0.73% (72% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33476 is to upgrade to Siyuan Kernel version 3.6.2 or later, which includes the necessary path sanitization fixes. If upgrading immediately is not possible, consider implementing a temporary workaround by restricting access to the /appearance/*filepath endpoint using a web application firewall (WAF) or reverse proxy. Configure the WAF to block requests containing directory traversal sequences (e.g., '..') in the filepath parameter. Additionally, review and restrict file permissions on the server to minimize the potential impact of a successful exploit. After upgrading, confirm the fix by attempting to access the vulnerable endpoint with a crafted path traversal request (e.g., /appearance/../../../../etc/passwd) and verifying that access is denied.
Actualice SiYuan a la versión 3.6.2 o posterior. Esta versión corrige la vulnerabilidad de recorrido de directorios que permite la lectura no autorizada de archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33476 is a Path Traversal vulnerability in the Siyuan Kernel affecting versions prior to 3.6.2. It allows unauthenticated attackers to read arbitrary files on the server.
You are affected if you are using Siyuan Kernel versions prior to 3.6.2. Check your installed version against the affected range.
Upgrade to Siyuan Kernel version 3.6.2 or later. As a temporary workaround, implement a WAF rule to block access to the /appearance/*filepath endpoint.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high likelihood of scanning and potential exploitation attempts.
Refer to the official Siyuan project website and GitHub repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.