Path Traversal Vulnerability in SiYuan Personal Knowledge Management System
CVE-2026-30869

9.3CRITICAL

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 9 March 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-30869?

A path traversal vulnerability exists in the SiYuan Personal Knowledge Management System allowing attackers to read arbitrary files from the server's filesystem through the /export endpoint. By exploiting double-encoded traversal sequences, attackers can access sensitive information such as configuration files, including conf/conf.json, which may contain crucial secrets like API tokens and workspace authentication codes. Such exposure can lead to unauthorized administrative access to the SiYuan kernel API and, under certain circumstances, could be leveraged for remote code execution.

Affected Version(s)

siyuan < 3.5.10

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2026
Vulnerability Reserved
Mar 6, 2026

CVE-2026-30869 Data

JSON