{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33670/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["directory-traversal","siyuan","cve-2026-33670"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe SiYuan note-taking application is susceptible to a critical directory traversal vulnerability affecting versions up to 0.0.0-20260317012524-fe4523fff2c8. The vulnerability resides in the \u003ccode\u003e/api/file/readDir\u003c/code\u003e endpoint, which lacks authentication. This allows unauthenticated attackers to send POST requests to enumerate directories and retrieve file names within the application\u0026rsquo;s data and configuration directories. Successful exploitation allows a malicious actor to gain sensitive information about the application\u0026rsquo;s file structure, and could be chained with a file-reading vulnerability to achieve arbitrary document access. This poses a significant risk to confidentiality and data security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable SiYuan instance.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated POST request to the \u003ccode\u003e/api/file/readDir\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a \u003ccode\u003epath\u003c/code\u003e parameter specifying the directory to list, such as \u003ccode\u003edata\u003c/code\u003e or \u003ccode\u003econf\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe SiYuan application processes the request without authentication and returns a JSON response containing a list of files and directories within the specified path.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response to identify interesting files and directories.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2-5 to traverse deeper into the directory structure.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the location of sensitive documents or configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a separate file reading vulnerability (not detailed in this brief) to access and exfiltrate the identified documents or configuration files, gaining unauthorized access to sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this directory traversal vulnerability allows an attacker to enumerate the entire directory structure of a SiYuan notebook. This may expose sensitive information stored within the application\u0026rsquo;s data and configuration files. When combined with a file reading vulnerability, attackers can access and exfiltrate arbitrary documents, potentially leading to data breaches and confidentiality compromise. The number of affected users is potentially large, given the popularity of the SiYuan note-taking application. Targeted sectors would include any organization or individual using SiYuan for storing sensitive information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply updates to SiYuan to versions greater than 0.0.0-20260317012524-fe4523fff2c8 that patch CVE-2026-33670.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/api/file/readDir\u003c/code\u003e endpoint, as detailed in the rule below, and investigate unexpected activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect exploitation attempts in web server logs, tuning it for your environment.\u003c/li\u003e\n\u003cli\u003eBlock access from IP address \u003ccode\u003e172.18.40.184\u003c/code\u003e observed in the exploit PoC, if seen connecting to your SiYuan instances.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-siyuan-traversal/","summary":"SiYuan note taking application is vulnerable to a directory traversal via the /api/file/readDir endpoint, which does not require authentication, allowing an attacker to enumerate the directory structure and retrieve file names, potentially leading to arbitrary document reading.","title":"SiYuan Note Taking Application Directory Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-siyuan-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33670","version":"https://jsonfeed.org/version/1.1"}