Path Traversal Vulnerability in SiYuan Knowledge Management System
CVE-2026-59832

7.7HIGH

Key Information:

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59832?

SiYuan, an open-source personal knowledge management system, has a vulnerability in its snippet handling mechanism. Prior to version 3.7.1, the 'serveSnippets' handler was susceptible to path traversal attacks. This flaw allows authenticated users to construct malicious requests that could access sensitive files outside of the intended directory. For example, an attacker could exploit this by sending a request like '/snippets/%2e%2e/%2e%2e/conf/conf.json', potentially compromising workspace secrets and the document database. The issue has been addressed in version 3.7.1.

Affected Version(s)

siyuan < 3.7.1

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.