CVE-2026-40259

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.x through 3.6.3

Description An issue exists where the '/api/av/removeUnusedAttributeView' endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id variable directly to a model function that deletes the corresponding attribute view file from the workspace without verifying if the caller has write privileges or if the target attribute view is actually unused. An authenticated publish-service reader can permanently delete arbitrary attribute view definitions by extracting publicly exposed data-av-id values from published content. This results in the breakage of database views and workspace rendering until they are manually restored.

Recommendations Update SiYuan to version 3.6.4. As a temporary workaround, restrict access to the '/api/av/removeUnusedAttributeView' endpoint to prevent unauthorized users from invoking it.