CVE-2026-40318
published 2026-04-16CVE-2026-40318: SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a…
PriorityP354high8.5CVSS 3.1
AVNACLPRLUINSCCNILAH
EPSS
0.29%
20.4th percentile
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| b3log | siyuan | < 3.6.4 | 3.6.4 |
| github.com | siyuan-note_siyuan_kernel | >= 0 < 3.6.40.0.0-20260407035653-2f416e5253f1 | 3.6.40.0.0-20260407035653-2f416e5253f1 |
| siyuan-note | siyuan | < 3.6.4 | 3.6.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
SiYuan up to 3.6.3 removeUnusedAttributeView ID path traversal (GHSA-vw86-c94w-v3x4 / CNNVD-202604-3434)
vuldb·2026-04-17·CVSS 8.5
CVE-2026-40318 [HIGH] SiYuan up to 3.6.3 removeUnusedAttributeView ID path traversal (GHSA-vw86-c94w-v3x4 / CNNVD-202604-3434)
A vulnerability was found in SiYuan up to 3.6.3. It has been classified as problematic. Affected by this issue is some unknown functionality of the file /api/av/removeUnusedAttributeView. This manipulation of the argument ID causes path traversal: '../filedir'.
This vulnerability is registered as CVE-2026-40318. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is recommended.
GHSA
SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
ghsa·2026-04-10
CVE-2026-40318 [HIGH] CWE-24 SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
## Summary
The endpoint `/api/av/removeUnusedAttributeView` is vulnerable to a **path traversal (CWE-22)** that allows an attacker to delete arbitrary `.json` files on the server.
The issue arises because user-controlled input (`id`) is directly used in filesystem path construction without validation or restriction.
> Access to this endpoint (e.g., via a Reader-role or publish context) is considered a precondition and not part of the vulnerability. The root cause is unsafe path handling.
---
## Steps To Reproduce
1. Ensure the target instance has the publish service enabled (or any valid access to the endpoint).
2. Send the following request:
```http
POST /api/av/removeUnusedAttributeView HTTP/1.1
Host:
Co
No detection rules found.
No public exploits indexed.
2026-04-16
Published