Platform
other
Component
siyuan
Fixed in
3.6.3
CVE-2026-33670 describes a Directory Traversal vulnerability affecting SiYuan, a personal knowledge management system. This flaw allows attackers to traverse directories and retrieve file names of all documents within a notebook. This issue affected versions of SiYuan less than or equal to 3.6.2. The vulnerability has been patched in version 3.6.2.
CVE-2026-33670 affects SiYuan, a personal knowledge management system, in versions prior to 3.6.2. The vulnerability lies within the /api/file/readDir interface, which allowed a malicious actor to traverse and retrieve the names of all documents within a notebook. This could lead to the exposure of sensitive information contained within those documents, particularly if access to SiYuan is not properly restricted. The vulnerability is rated as 9.8 on the CVSS scale, indicating a critical risk. Successful exploitation could compromise user data confidentiality, allowing an attacker to access personal, professional, or confidential information stored within the SiYuan system.
The vulnerability is exploited through the /api/file/readDir interface. An attacker could send malicious requests to this interface to obtain a list of file names within a notebook. The lack of proper server-side validation allows an attacker to bypass restrictions and access the information. The exploitation context is particularly concerning in environments where SiYuan is used to store confidential information, as the exposure of file names could facilitate the identification of valuable targets for a subsequent attack. The absence of a KEV (Kernel Exploit Verification) indicates that there is no public verification of the exploit, but the high CVSS score suggests that the vulnerability is easily exploitable.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
The solution to this vulnerability is to update SiYuan to version 3.6.2 or later. This update patches the /api/file/readDir interface, preventing unauthorized access to file names. It is strongly recommended that all SiYuan users update their installations as soon as possible to mitigate the risk of exploitation. Furthermore, it's important to review and strengthen access policies to the SiYuan system, ensuring that only authorized users have access to sensitive data. Monitoring system logs for suspicious activity can also help detect and respond to potential exploitation attempts.
Actualice SiYuan a la versión 3.6.2 o superior. Esta versión corrige la vulnerabilidad de recorrido de directorios en el servicio de publicación.
Vulnerability analysis and critical alerts directly to your inbox.
SiYuan is a personal knowledge management system that allows users to organize and access their notes and documents.
Version 3.6.2 patches the CVE-2026-33670 vulnerability, which allows unauthorized access to file names.
If you cannot update immediately, consider restricting access to the SiYuan system and monitoring logs for suspicious activity.
If you are using a version prior to 3.6.2, you are vulnerable to this vulnerability.
CVSS 9.8 indicates a critical risk, meaning the vulnerability is easily exploitable and can have a significant impact.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.