CVE-2026-40318

CVSS v3.1

8.5

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.4

Description The '/api/av/removeUnusedAttributeView' endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. This allows an attacker to inject path traversal sequences, such as '../', to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. Path traversal is a technique used to access files and directories that are stored outside the web root folder.

Recommendations Update to version 3.6.4. As a temporary workaround, avoid using the id parameter in the '/api/av/removeUnusedAttributeView' endpoint until the update is applied.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-24

Related Identifiers

CVE-2026-40318

GHSA-VW86-C94W-V3X4

Affected Products

Siyuan

CVE-2026-40318

Weakness Enumeration

Related Identifiers

Affected Products

References · 6