CVE-2026-41894: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in siyuan-note siyuan
CVE-2026-41894 is a path traversal vulnerability in the SiYuan personal knowledge management system prior to version 3. 6. 5. The issue arises from a redundant URL unescaping call in the serveExport() function, which allows an authenticated attacker to bypass a denylist check using double URL encoding. Exploitation enables reading arbitrary workspace files, including the full SQLite database, kernel logs, and user documents. The vulnerability is rated high severity with a CVSS 4. 0 score of 7. 1. The issue is fixed in version 3. 6.
AI Analysis
Technical Summary
SiYuan versions before 3.6.5 contain a path traversal vulnerability (CWE-22) due to improper handling of URL decoding in the serveExport() function. Although a denylist check (IsSensitivePath) was introduced to address a prior vulnerability (CVE-2026-30869), the root cause was not fully resolved because of a redundant url.PathUnescape() call. This flaw allows an authenticated attacker to use double URL encoding (%252e%252e) to traverse directories and access arbitrary files within the workspace, including sensitive data such as the SQLite database (siyuan.db), kernel logs, and all user documents. The vulnerability has a CVSS 4.0 score of 7.1, indicating high severity. The issue is resolved in SiYuan version 3.6.5.
Potential Impact
An authenticated attacker can exploit this vulnerability to read arbitrary files within the SiYuan workspace. This includes sensitive files such as the full SQLite database containing user data, kernel logs, and all user documents. Unauthorized file access can lead to data disclosure and compromise of user privacy and system integrity.
Mitigation Recommendations
This vulnerability is fixed in SiYuan version 3.6.5. Users should upgrade to version 3.6.5 or later to remediate this issue. No official patch or workaround is indicated beyond upgrading. Patch status is not explicitly stated in the vendor advisory, but the description confirms the fix is included in version 3.6.5.
CVE-2026-41894: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in siyuan-note siyuan
Description
CVE-2026-41894 is a path traversal vulnerability in the SiYuan personal knowledge management system prior to version 3. 6. 5. The issue arises from a redundant URL unescaping call in the serveExport() function, which allows an authenticated attacker to bypass a denylist check using double URL encoding. Exploitation enables reading arbitrary workspace files, including the full SQLite database, kernel logs, and user documents. The vulnerability is rated high severity with a CVSS 4. 0 score of 7. 1. The issue is fixed in version 3. 6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SiYuan versions before 3.6.5 contain a path traversal vulnerability (CWE-22) due to improper handling of URL decoding in the serveExport() function. Although a denylist check (IsSensitivePath) was introduced to address a prior vulnerability (CVE-2026-30869), the root cause was not fully resolved because of a redundant url.PathUnescape() call. This flaw allows an authenticated attacker to use double URL encoding (%252e%252e) to traverse directories and access arbitrary files within the workspace, including sensitive data such as the SQLite database (siyuan.db), kernel logs, and all user documents. The vulnerability has a CVSS 4.0 score of 7.1, indicating high severity. The issue is resolved in SiYuan version 3.6.5.
Potential Impact
An authenticated attacker can exploit this vulnerability to read arbitrary files within the SiYuan workspace. This includes sensitive files such as the full SQLite database containing user data, kernel logs, and all user documents. Unauthorized file access can lead to data disclosure and compromise of user privacy and system integrity.
Mitigation Recommendations
This vulnerability is fixed in SiYuan version 3.6.5. Users should upgrade to version 3.6.5 or later to remediate this issue. No official patch or workaround is indicated beyond upgrading. Patch status is not explicitly stated in the vendor advisory, but the description confirms the fix is included in version 3.6.5.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-22T15:11:54.671Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ebc30587115cfb68680b13
Added to database: 4/24/2026, 7:22:45 PM
Last enriched: 4/24/2026, 7:36:01 PM
Last updated: 4/24/2026, 8:26:26 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.