Path Traversal Vulnerability in SiYuan Knowledge Management System
CVE-2026-59832
7.7HIGH
What is CVE-2026-59832?
SiYuan, an open-source personal knowledge management system, has a vulnerability in its snippet handling mechanism. Prior to version 3.7.1, the 'serveSnippets' handler was susceptible to path traversal attacks. This flaw allows authenticated users to construct malicious requests that could access sensitive files outside of the intended directory. For example, an attacker could exploit this by sending a request like '/snippets/%2e%2e/%2e%2e/conf/conf.json', potentially compromising workspace secrets and the document database. The issue has been addressed in version 3.7.1.
Affected Version(s)
siyuan < 3.7.1
