CVE-2026-30869
SiYuan · SiYuan
A path traversal vulnerability in the SiYuan /export endpoint allows unauthenticated attackers to read arbitrary files from the server filesystem.
Executive summary
A critical path traversal vulnerability in SiYuan allows attackers to steal sensitive configuration files, potentially leading to full system compromise or remote code execution.
Vulnerability
A path traversal flaw exists in the /export endpoint, where double-encoded sequences can be used to bypass security filters. This allows an unauthenticated attacker to retrieve sensitive files, including API tokens and authentication secrets.
Business impact
The exposure of API tokens and session secrets poses an extreme risk, as it grants attackers administrative access to the SiYuan kernel API. With a CVSS score of 9.3, this vulnerability could be chained to achieve remote code execution, resulting in total server compromise and potential exfiltration of all stored knowledge management data.
Remediation
Immediate Action: Upgrade SiYuan to version 3.5.10 or later immediately to patch the affected /export endpoint.
Proactive Monitoring: Inspect server logs for suspicious URL patterns containing directory traversal sequences (e.g., ../, %2e%2e%2f).
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules specifically configured to block directory traversal attempts and double-encoded input strings.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
Given the severity of the data exposure and the potential for remote code execution, immediate remediation is required. Ensure that all instances are updated to the latest version and verify that no unauthorized access to sensitive configuration files has occurred.