cbcvebase.
CVE-2026-33476
published 2026-03-20

CVE-2026-33476: SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under…

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.26%
86.8th percentile
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
b3logsiyuan< 3.6.23.6.2
github.comsiyuan-note_siyuan_kernel0 – 0.0.0-20260317012524-fe4523fff2c8
siyuan-notesiyuan< 3.6.23.6.2

Detection & IOCsextracted from sources · hover to see the quote

url/appearance/langs/../../conf.json
path/appearance/*filepath
otherhttp.favicon.hash:-1450125239
  • Match HTTP 200 response body containing both '"kernelVersion"' and '"logLevel"' with Content-Type 'application/json' to confirm successful path traversal and conf.json disclosure.
  • The vulnerable endpoint /appearance/*filepath explicitly bypasses authentication checks — monitor for unauthenticated GET requests to paths under /appearance/ containing directory traversal sequences (e.g., ../).
  • Use the Shodan favicon hash -1450125239 to identify exposed SiYuan instances on the internet for proactive asset discovery.
  • ·The vulnerability affects SiYuan versions up to and including v3.6.1. Version 3.6.2 patches the improper path sanitization.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.