Siyuan

SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs, leading to configuration changes, denial of service, data corruption, and information disclosure by manipulating cloud sync intervals, graph configurations, SQL block content, and recent-documents lists.

SiYuan is vulnerable to path traversal via double URL encoding in the `/export/` endpoint, bypassing an incomplete fix for CVE-2026-30869; an authenticated attacker can exploit this vulnerability to traverse directories and read arbitrary workspace files, including the SQLite database (`siyuan.db`), kernel log, and user documents due to a redundant `url.PathUnescape()` call in `serveExport()`.