Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.6.2
0.0.1
3.6.2
CVE-2026-32749 is a Path Traversal vulnerability discovered in the Siyuan kernel, a core component of the Siyuan note-taking application. This flaw allows authenticated administrators to write files outside the intended temporary directory, potentially enabling remote code execution (RCE). The vulnerability affects versions of the Siyuan kernel up to and including 0.0.0-20260313024916-fd6526133bb3. A fix is available in version 3.6.1.
The vulnerability lies in the importSY and importZipMd functions within the kernel/api/import.go file. These functions construct file paths based on user-supplied filenames during import operations without proper sanitization. An attacker can craft malicious filenames containing path traversal sequences (e.g., ../../../../etc/passwd) to write files to arbitrary locations on the server's filesystem. This could allow them to overwrite critical system files, inject malicious code, or gain unauthorized access to sensitive data. The potential for RCE significantly elevates the risk, as a successful exploit could grant an attacker complete control over the affected system. This is similar to other path traversal vulnerabilities where attackers leverage file system navigation to bypass security controls.
CVE-2026-32749 was publicly disclosed on March 16, 2026. The vulnerability's severity is currently being evaluated, and its inclusion in the CISA KEV catalog is pending. No public proof-of-concept (PoC) exploits have been released at the time of this writing, but the ease of exploitation inherent in path traversal vulnerabilities suggests a high likelihood of PoCs emerging. Active campaigns targeting this vulnerability are not currently confirmed, but the potential for exploitation warrants proactive monitoring and mitigation.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to Siyuan kernel version 3.6.1 or later, which contains the necessary fix. If immediate upgrading is not possible, consider implementing temporary workarounds. One approach is to restrict file upload permissions for administrative users, limiting their ability to trigger the vulnerable import functionality. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences in the filename parameter. Monitor system logs for unusual file creation activity in unexpected directories. Specifically, look for files being created outside the designated temporary import directory. After upgrading, confirm the fix by attempting a file import with a malicious filename containing path traversal characters and verifying that the file is not written to the intended location.
Actualice SiYuan a la versión 3.6.1 o superior. Esto corrige la vulnerabilidad de path traversal que permite la escritura arbitraria de archivos. Si está utilizando SiYuan en un contenedor Docker, asegúrese de actualizar la imagen del contenedor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32749 is a Path Traversal vulnerability in the Siyuan kernel allowing attackers to write files outside the intended directory, potentially leading to RCE.
You are affected if you are running Siyuan kernel versions ≤0.0.0-20260313024916-fd6526133bb3. Upgrade to 3.6.1 or later.
Upgrade to Siyuan kernel version 3.6.1 or later. Implement WAF rules and restrict file upload permissions as temporary mitigations.
Active exploitation is not currently confirmed, but the vulnerability's nature suggests a high likelihood of exploitation.
Refer to the official Siyuan security advisories on their website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.