CVE-2026-41894

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.5

Description An authenticated attacker can perform directory traversal to read arbitrary workspace files, including the full SQLite database (siyuan.db), kernel logs, and all user documents. This occurs because the serveExport() function contains a redundant url.PathUnescape() call, creating a double-decode vulnerability. By using double URL encoding (such as %252e%252e), an attacker can bypass path cleaning and access sensitive files. While a previous attempt to fix this issue introduced a denylist check via the IsSensitivePath() function, it failed to address the root cause and did not block access to critical files within the workspace temporary directory.

Recommendations Update to version 3.6.5.