CVE-2026-54066
published 2026-06-24CVE-2026-54066: SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding")…
PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.89%
77.0th percentile
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding") sanitized the /export/ route but the identical root cause remains in the /assets/*path route. In publish mode (anonymous read-only HTTP endpoint, default port 6808), an unauthenticated remote attacker can read arbitrary files inside WorkspaceDir — including conf/conf.json (which contains the AccessAuthCode SHA256 hash, API token, and sync keys), temp/siyuan.db, temp/blocktree.db, and siyuan.log — by double-URL-encoding .. segments. This vulnerability is fixed in 3.7.0.
Detection & IOCsextracted from sources · hover to see the quote
sigma
matchers: status_code == 200 AND contains(content_type, "application/json") AND contains_all(body, "accessAuthCode", "appearance", "editor", "system")
- →Detect double-URL-encoded path traversal attempts targeting the /assets/ route: look for %252e%252e sequences in HTTP request URIs on port 6808. ↗
- →Alert on unauthenticated HTTP GET requests to port 6808 containing '%252e%252e' (double-encoded dot-dot) in the URI path, indicative of CVE-2026-54066 exploitation. ↗
- →Successful exploitation returns HTTP 200 with Content-Type application/json and a body containing the keys 'accessAuthCode', 'appearance', 'editor', and 'system' — monitor for such responses on port 6808.
- →Use Shodan/FOFA to identify exposed SiYuan publish-mode instances: shodan-query 'port:6808 "SiYuan"' and fofa-query 'title="SiYuan" && port="6808"'.
- →The vulnerable route is /assets/*path; the previously patched route /export/ does not cover this vector — ensure WAF rules cover both routes for SiYuan instances.
- ·Vulnerability is only exploitable when SiYuan is running in publish mode (anonymous read-only HTTP endpoint); the default port is 6808. Instances not exposed in publish mode are not directly reachable by unauthenticated remote attackers. ↗
- ·Successful exploitation of conf/conf.json exposes the AccessAuthCode SHA256 hash, API token, and sync keys — enabling full authenticated API access to all notebooks even after patching the traversal if credentials are not rotated. ↗
- ·The Nuclei template is marked 'verified: false'; treat detection results as presumptive until confirmed against a live vulnerable instance.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
SiYuan <= 3.6.5 - Unauthenticated Path Traversal
nuclei·CVSS 7.5
CVE-2026-54066 [HIGH] SiYuan <= 3.6.5 - Unauthenticated Path Traversal
SiYuan <= 3.6.5 - Unauthenticated Path Traversal
SiYuan <= 3.6.5 contains a path traversal via double URL-encoding in the /assets/ route (publish mode port 6808), allowing unauthenticated attackers to read arbitrary files inside WorkspaceDir including conf/conf.json which exposes the API token and access auth code.
Template:
id: CVE-2026-54066
info:
name: SiYuan <= 3.6.5 - Unauthenticated Path Traversal
author: 0x_Akoko
severity: high
description: |
SiYuan <= 3.6.5 contains a path traversal via double URL-encoding in the /assets/ route (publish mode port 6808), allowing unauthenticated attackers to read arbitrary files inside WorkspaceDir including conf/conf.json which exposes the API token and access auth code.
impact: |
Unauthenticated attackers can read conf/conf.json exposing the A
No writeups or analysis indexed.
2026-06-24
Published