CVE-2026-33670

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2

Description SiYuan, a personal knowledge management system, contains a directory traversal issue in the /api/file/readDir interface. This interface was used to retrieve file names under a notebook without proper authorization. An attacker could exploit this to traverse the directory structure and potentially read arbitrary documents. The vulnerability exists due to insufficient restrictions on file access through the API endpoint. The /api/file/readDir API endpoint accepts a path variable that is not adequately validated, allowing for directory traversal.

Recommendations Versions prior to 3.6.2 should be updated to version 3.6.2 or later.