Path Traversal Vulnerability in SiYuan Knowledge Management System
CVE-2026-59854

4.9MEDIUM

Key Information:

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59854?

The SiYuan personal knowledge management system is vulnerable due to inadequate validation of file paths in its API. Authenticated users, including administrators, can exploit this vulnerability to access sensitive files that should be protected, such as credential configurations for various services. The flaw exists because the denylist used to block access to sensitive paths is incomplete, allowing potentially harmful files to be copied into the workspace and exfiltrated. The issue has been addressed in version 3.7.1-alpha.2 and later, which enhances the path validation logic.

Affected Version(s)

siyuan < 3.7.1

References

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.