Path Traversal Vulnerability in SiYuan Knowledge Management System
CVE-2026-59854
4.9MEDIUM
What is CVE-2026-59854?
The SiYuan personal knowledge management system is vulnerable due to inadequate validation of file paths in its API. Authenticated users, including administrators, can exploit this vulnerability to access sensitive files that should be protected, such as credential configurations for various services. The flaw exists because the denylist used to block access to sensitive paths is incomplete, allowing potentially harmful files to be copied into the workspace and exfiltrated. The issue has been addressed in version 3.7.1-alpha.2 and later, which enhances the path validation logic.
Affected Version(s)
siyuan < 3.7.1
