Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.6.3
0.0.1
CVE-2026-33476 describes a Path Traversal vulnerability discovered in the Siyuan Kernel, a core component of the Siyuan note-taking application. This flaw allows unauthenticated attackers to read arbitrary files accessible to the server process by manipulating the /appearance/*filepath endpoint. The vulnerability affects versions of the Siyuan Kernel prior to 3.6.2 and has been publicly disclosed on March 20, 2026. A fix is available in version 3.6.2.
The primary impact of CVE-2026-33476 is the potential for unauthorized file access. An attacker can exploit this vulnerability to read sensitive configuration files, source code, or other data stored on the server. This could lead to information disclosure, compromise of credentials, or even further exploitation if sensitive data is exposed. The lack of authentication for the vulnerable endpoint significantly lowers the barrier to entry for attackers, making it a high-priority concern. The ability to read arbitrary files could also expose internal system details, aiding in reconnaissance for other attacks.
CVE-2026-33476 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's ease of exploitation and unauthenticated nature. The vulnerability's simplicity suggests a potential for widespread scanning and exploitation attempts. The NVD entry was published on March 20, 2026.
Exploit Status
EPSS
0.73% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33476 is to upgrade the Siyuan Kernel to version 3.6.2 or later. If an immediate upgrade is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests to the /appearance/filepath endpoint. Alternatively, restrict access to this endpoint to trusted networks or users. Carefully review the Siyuan configuration to ensure that the appearancePath variable is properly secured and does not expose sensitive directories. After upgrading, confirm the fix by attempting to access the /appearance/filepath endpoint with a crafted path traversal payload; access should be denied.
Actualice SiYuan a la versión 3.6.2 o posterior. Esta versión corrige la vulnerabilidad de recorrido de directorios que permite la lectura no autorizada de archivos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33476 is a Path Traversal vulnerability in the Siyuan Kernel affecting versions prior to 3.6.2. It allows unauthenticated attackers to read arbitrary files on the server.
You are affected if you are using Siyuan Kernel versions prior to 3.6.2. Check your installed version against the affected range.
Upgrade to Siyuan Kernel version 3.6.2 or later. As a temporary workaround, implement a WAF rule to block access to the /appearance/*filepath endpoint.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high likelihood of scanning and potential exploitation attempts.
Refer to the official Siyuan project website and GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.