CVE-2026-33476
published 2026-03-20CVE-2026-33476: SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under…
PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.26%
86.8th percentile
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| b3log | siyuan | < 3.6.2 | 3.6.2 |
| github.com | siyuan-note_siyuan_kernel | 0 – 0.0.0-20260317012524-fe4523fff2c8 | — |
| siyuan-note | siyuan | < 3.6.2 | 3.6.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Match HTTP 200 response body containing both '"kernelVersion"' and '"logLevel"' with Content-Type 'application/json' to confirm successful path traversal and conf.json disclosure. ↗
- →The vulnerable endpoint /appearance/*filepath explicitly bypasses authentication checks — monitor for unauthenticated GET requests to paths under /appearance/ containing directory traversal sequences (e.g., ../). ↗
- →Use the Shodan favicon hash -1450125239 to identify exposed SiYuan instances on the internet for proactive asset discovery. ↗
- ·The vulnerability affects SiYuan versions up to and including v3.6.1. Version 3.6.2 patches the improper path sanitization. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal in github.com/siyuan-note/siyuan/kernel
osv·2026-03-23
CVE-2026-33476 Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal in github.com/siyuan-note/siyuan/kernel
Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal in github.com/siyuan-note/siyuan/kernel
Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal in github.com/siyuan-note/siyuan/kernel
OSV
Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal
osv·2026-03-20
CVE-2026-33476 [HIGH] Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal
Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal
## Summary
The Siyuan kernel exposes an unauthenticated file-serving endpoint under **/appearance/*filepath.**
Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process.
Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials.
## Details
Vulnerable Code Location
**File: kernel/server/serve.go**
``` sh
siyuan.GET("/appearance/*filepath", func(c *gin.Context) {
filePath := filepath.Join(
appearancePath,
strings.TrimPrefix(c.Request.URL.Path, "/appearance/")
)
...
c.File(filePath)
})
```
**Technical Root Cause**
The handler constructs a filesystem path by joining a base directory (appearanceP
GHSA
Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal
ghsa·2026-03-20
CVE-2026-33476 [HIGH] CWE-22 Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal
Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal
## Summary
The Siyuan kernel exposes an unauthenticated file-serving endpoint under **/appearance/*filepath.**
Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process.
Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials.
## Details
Vulnerable Code Location
**File: kernel/server/serve.go**
``` sh
siyuan.GET("/appearance/*filepath", func(c *gin.Context) {
filePath := filepath.Join(
appearancePath,
strings.TrimPrefix(c.Request.URL.Path, "/appearance/")
)
...
c.File(filePath)
})
```
**Technical Root Cause**
The handler constructs a filesystem path by joining a base directory (appearanceP
No detection rules found.
Nuclei
SiYuan <= v3.6.1 - Path Traversal
nuclei·CVSS 7.5
CVE-2026-33476 [HIGH] SiYuan <= v3.6.1 - Path Traversal
SiYuan <= v3.6.1 - Path Traversal
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.
Template:
id: CVE-2026-33476
info:
name: SiYuan <= v3.6.1 - Path Traversal
author: WRG-11
severity: high
description: |
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sani
2026-03-20
Published