Directory Traversal Vulnerability in SiYuan Personal Knowledge Management System
CVE-2026-33670

9.8CRITICAL

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 26 March 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-33670?

The SiYuan Personal Knowledge Management System introduces a directory traversal vulnerability in versions prior to 3.6.2, allowing unauthorized access to all document names within a notebook through the /api/file/readDir interface. This issue poses a significant risk, as it could potentially expose sensitive information to attackers. Users are strongly encouraged to update to version 3.6.2 or later to mitigate this risk.

Affected Version(s)

siyuan < 3.6.2

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33670 Data

JSON