CVE-2026-30869

SiYuan · SiYuan

A path traversal vulnerability in the SiYuan /export endpoint allows unauthenticated attackers to read arbitrary files from the server filesystem.

Executive summary

A critical path traversal vulnerability in SiYuan allows attackers to steal sensitive configuration files, potentially leading to full system compromise or remote code execution.

Vulnerability

A path traversal flaw exists in the /export endpoint, where double-encoded sequences can be used to bypass security filters. This allows an unauthenticated attacker to retrieve sensitive files, including API tokens and authentication secrets.

Business impact

The exposure of API tokens and session secrets poses an extreme risk, as it grants attackers administrative access to the SiYuan kernel API. With a CVSS score of 9.3, this vulnerability could be chained to achieve remote code execution, resulting in total server compromise and potential exfiltration of all stored knowledge management data.

Remediation

Immediate Action: Upgrade SiYuan to version 3.5.10 or later immediately to patch the affected /export endpoint.

Proactive Monitoring: Inspect server logs for suspicious URL patterns containing directory traversal sequences (e.g., ../, %2e%2e%2f).

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules specifically configured to block directory traversal attempts and double-encoded input strings.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Given the severity of the data exposure and the potential for remote code execution, immediate remediation is required. Ensure that all instances are updated to the latest version and verify that no unauthorized access to sensitive configuration files has occurred.