CVE-2026-33476

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/siyuan-note/siyuan/commit/009bb598b3beccc972aa5f1ed88b3b224326bf2a	Patch
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7	Exploit Vendor Advisory
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-20 23:16

Updated : 2026-03-23 22:16

NVD link : CVE-2026-33476

Mitre link : CVE-2026-33476

CVE.ORG link : CVE-2026-33476

JSON object : View

Products Affected

b3log

siyuan

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73

External Control of File Name or Path

{"id": "CVE-2026-33476", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T23:16:48.137", "references": [{"url": "https://github.com/siyuan-note/siyuan/commit/009bb598b3beccc972aa5f1ed88b3b224326bf2a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue."}, {"lang": "es", "value": "SiYuan es un sistema de gesti\u00f3n de conocimiento personal. Antes de la versi\u00f3n 3.6.2, el kernel de Siyuan expone un endpoint de servicio de archivos no autenticado bajo `/appearance/*filepath.` Debido a una sanitizaci\u00f3n de ruta inadecuada, los atacantes pueden realizar salto de directorio y leer archivos arbitrarios accesibles al proceso del servidor. Las comprobaciones de autenticaci\u00f3n excluyen expl\u00edcitamente este endpoint, permitiendo la explotaci\u00f3n sin credenciales v\u00e1lidas. La versi\u00f3n 3.6.2 corrige este problema."}], "lastModified": "2026-03-23T22:16:31.057", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27CB71A7-7208-417A-AE6D-266D57F683E9", "versionEndExcluding": "3.6.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}