{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/siyuan/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-30869"}],"_cs_exploited":false,"_cs_products":["siyuan"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","siYuan"],"_cs_type":"advisory","_cs_vendors":["siyuan"],"content_html":"\u003cp\u003eSiYuan is vulnerable to a path traversal vulnerability (CVE-2026-30869) due to a redundant \u003ccode\u003eurl.PathUnescape()\u003c/code\u003e call within the \u003ccode\u003eserveExport()\u003c/code\u003e function. The vulnerability exists in versions prior to 3.6.5. This flaw allows an authenticated attacker, including low-privilege users with Publish/Reader roles, to bypass intended security restrictions and access sensitive files stored within the SiYuan workspace. The initial fix attempted with \u003ccode\u003eIsSensitivePath()\u003c/code\u003e proved insufficient as it did not address the core issue of double URL decoding. An attacker can exploit this vulnerability by using double URL encoded characters in a crafted HTTP request, allowing them to read arbitrary files such as the complete SQLite document database (\u003ccode\u003esiyuan.db\u003c/code\u003e), kernel logs, and other critical files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker sends a GET request to the \u003ccode\u003e/export/\u003c/code\u003e endpoint with a double URL encoded path, such as \u003ccode\u003e/export/%252e%252e/siyuan.db\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Go HTTP server decodes the initial layer of URL encoding, transforming \u003ccode\u003e%25\u003c/code\u003e into \u003ccode\u003e%\u003c/code\u003e, resulting in a path like \u003ccode\u003e/export/%2e%2e/siyuan.db\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe path cleaner does not recognize \u003ccode\u003e%2e%2e\u003c/code\u003e as directory traversal, so it passes through.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eserveExport()\u003c/code\u003e function then calls \u003ccode\u003eurl.PathUnescape()\u003c/code\u003e on the path, decoding \u003ccode\u003e%2e%2e\u003c/code\u003e into \u003ccode\u003e..\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efilepath.Join()\u003c/code\u003e function concatenates the \u003ccode\u003eexportBaseDir\u003c/code\u003e with the now decoded path, e.g., \u003ccode\u003e\u0026lt;workspace\u0026gt;/../siyuan.db\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eIsSensitivePath()\u003c/code\u003e check fails to block the request because it doesn\u0026rsquo;t account for the decoded path or specific database files in the \u003ccode\u003etemp/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully retrieves the contents of the \u003ccode\u003esiyuan.db\u003c/code\u003e file, which contains the complete document database.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process to access other sensitive files within the workspace, such as \u003ccode\u003esiyuan.log\u003c/code\u003e, \u003ccode\u003eblocktree.db\u003c/code\u003e, and \u003ccode\u003easset_content.db\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to exfiltrate sensitive data, including the entire SQLite document database, potentially containing all user documents, attributes, and search indexes. The attacker can also access the kernel log, which may contain internal server paths, versions, configuration details, and error messages. This information disclosure could lead to further compromise of the system. While the number of victims is unknown, any SiYuan instance running a version prior to 3.6.5 is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SiYuan to version 3.6.5 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect SiYuan Path Traversal Attempt\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for double URL encoded characters in requests to the \u003ccode\u003e/export/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/export/\u003c/code\u003e endpoint containing \u003ccode\u003e%252e%252e\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider implementing a more robust path validation mechanism within the \u003ccode\u003eserveExport()\u003c/code\u003e function that properly handles URL decoding and directory traversal attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T20:55:31Z","date_published":"2026-04-22T20:55:31Z","id":"/briefs/2026-04-siyuan-path-traversal/","summary":"SiYuan is vulnerable to path traversal via double URL encoding in the `/export/` endpoint, bypassing an incomplete fix for CVE-2026-30869; an authenticated attacker can exploit this vulnerability to traverse directories and read arbitrary workspace files, including the SQLite database (`siyuan.db`), kernel log, and user documents due to a redundant `url.PathUnescape()` call in `serveExport()`.","title":"SiYuan Path Traversal via Double URL Encoding in `/export/` Endpoint","url":"https://feed.craftedsignal.io/briefs/2026-04-siyuan-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Siyuan","version":"https://jsonfeed.org/version/1.1"}