CVE-2026-33476

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2

Description SiYuan, a personal knowledge management system, has an unauthenticated arbitrary file read issue due to a path traversal flaw. The kernel exposes a file-serving endpoint at /appearance/*filepath that bypasses authentication checks. Improper path sanitization allows attackers to construct malicious requests to read arbitrary files accessible to the server process. The vulnerable code is located in kernel/server/serve.go, where the path is constructed by joining a base directory with user-controlled URL segments without proper validation. This allows the use of directory traversal sequences like ../ to escape the intended directory and access sensitive files. Exploitation can be achieved by sending a crafted GET request to the /appearance/*filepath endpoint, such as GET /appearance/../../data/conf.json HTTP/1.1. This could lead to the disclosure of workspace configuration files, user notes, API tokens, and potentially local system files, depending on permissions. An estimated number of potentially affected devices worldwide is not provided.

Recommendations Update SiYuan to version 3.6.2 or later.