CVE-2025-6806
published 2025-07-07CVE-2025-6806: Marvell QConvergeConsole decryptFile Directory Traversal Arbitrary File Write Vulnerability. This vulnerability allows remote attackers to create arbitrary…
PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
1.22%
65.0th percentile
Marvell QConvergeConsole decryptFile Directory Traversal Arbitrary File Write Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the decryptFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to write files in the context of SYSTEM. Was ZDI-CAN-24979.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | siyuan-note_siyuan_kernel | >= 0 < 0.0.0-20260118092326-b2274baba2e1 | 0.0.0-20260118092326-b2274baba2e1 |
| marvell | qconvergeconsole | <= 5.5.0.85 | — |
| marvell | qconvergeconsole | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SiYuan vulnerable to Arbitrary file Read / SSRF
ghsa·2026-01-21
CVE-2026-23850 [HIGH] CWE-22 SiYuan vulnerable to Arbitrary file Read / SSRF
SiYuan vulnerable to Arbitrary file Read / SSRF
### Summary
Markdown feature allows unrestricted server side html-rendering which allows arbitary file read (LFD) and fully SSRF access
We in @0xL4ugh ( @abdoghazy2015, @xtromera, @A-z4ki, @ZeyadZonkorany and @KarimTantawey) During playing Null CTF 2025 that helps us solved a challenge with unintended way : )
Please note that we used the latest Version and deployed it via this dockerfile :
Dockerfile:
```
FROM b3log/siyuan
ENV TZ=America/New_York \
PUID=1000 \
PGID=1000 \
SIYUAN_ACCESS_AUTH_CODE=SuperSecretPassword
RUN mkdir -p /siyuan/workspace
COPY ./startup.sh /opt/siyuan/startup.sh
RUN chmod +x /opt/siyuan/startup.sh
EXPOSE 6806
ENTRYPOINT ["sh", "-c", "/opt/siyuan/startup.sh"]
```
startup.sh
```sh
#!/bin/sh
set -e
echo "nullctf{
GHSA
GHSA-wh83-3gcw-w65g: Marvell QConvergeConsole decryptFile Directory Traversal Arbitrary File Write Vulnerability
ghsa_unreviewed·2025-07-07
CVE-2025-6806 [HIGH] CWE-22 GHSA-wh83-3gcw-w65g: Marvell QConvergeConsole decryptFile Directory Traversal Arbitrary File Write Vulnerability
Marvell QConvergeConsole decryptFile Directory Traversal Arbitrary File Write Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the decryptFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to write files in the context of SYSTEM. Was ZDI-CAN-24979.
GHSA
SiYuan has an arbitrary file deletion vulnerability
ghsa·2025-01-03
CVE-2025-21609 [HIGH] CWE-459 SiYuan has an arbitrary file deletion vulnerability
SiYuan has an arbitrary file deletion vulnerability
### Summary
A **arbitrary file deletion vulnerability** has been identified in the latest version of Siyuan Note. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint.An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server.
### Details
The vulnerability can be reproduced by sending a crafted request to the `/api/history/getDocHistoryContent` endpoint.
Sending a request to the `/api/history/getDocHistoryContent` like:
```
curl "http://127.0.0.1:6806/api/history/getDocHistoryContent" -X POST -H "Content-Type: application/json" -d '{"historyPath":""}'
```
Replace `` with the absolute file path of the target file you wish to delete.
The `hist
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-07
Published