cbcvebase.
CVE-2026-33194
published 2026-03-20

CVE-2026-33194: SiYuan is a personal knowledge management system. Prior to version 3.6.2, the `IsSensitivePath()` function in `kernel/util/path.go` uses a denylist approach…

PriorityP336medium6.8CVSS 3.1
AVNACLPRHUINSCCHINAN
EPSS
0.49%
38.3th percentile
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the `IsSensitivePath()` function in `kernel/util/path.go` uses a denylist approach that was recently expanded (GHSA-h5vh-m7fg-w5h6, commit 9914fd1) but remains incomplete. Multiple security-relevant Linux directories are not blocked, including `/opt` (application data), `/usr` (local configs/binaries), `/home` (other users), `/mnt` and `/media` (mounted volumes). The `globalCopyFiles` and `importStdMd` endpoints rely on `IsSensitivePath` as their primary defense against reading files outside the workspace. Version 3.6.2 contains an updated fix.

Affected

3 ranges
VendorProductVersion rangeFixed in
b3logsiyuan< 3.6.23.6.2
github.comsiyuan-note_siyuan_kernel>= 0 < 3.6.23.6.2
siyuan-notesiyuan< 3.6.23.6.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.