cbcvebase.
CVE-2026-54066
published 2026-06-24

CVE-2026-54066: SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding")…

PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.89%
77.0th percentile
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding") sanitized the /export/ route but the identical root cause remains in the /assets/*path route. In publish mode (anonymous read-only HTTP endpoint, default port 6808), an unauthenticated remote attacker can read arbitrary files inside WorkspaceDir — including conf/conf.json (which contains the AccessAuthCode SHA256 hash, API token, and sync keys), temp/siyuan.db, temp/blocktree.db, and siyuan.log — by double-URL-encoding .. segments. This vulnerability is fixed in 3.7.0.

Detection & IOCsextracted from sources · hover to see the quote

url/assets/%252e%252e/%252e%252e/conf/conf.json
pathconf/conf.json
pathtemp/siyuan.db
pathtemp/blocktree.db
pathsiyuan.log
port6808
sigma
matchers: status_code == 200 AND contains(content_type, "application/json") AND contains_all(body, "accessAuthCode", "appearance", "editor", "system")
  • Detect double-URL-encoded path traversal attempts targeting the /assets/ route: look for %252e%252e sequences in HTTP request URIs on port 6808.
  • Alert on unauthenticated HTTP GET requests to port 6808 containing '%252e%252e' (double-encoded dot-dot) in the URI path, indicative of CVE-2026-54066 exploitation.
  • Successful exploitation returns HTTP 200 with Content-Type application/json and a body containing the keys 'accessAuthCode', 'appearance', 'editor', and 'system' — monitor for such responses on port 6808.
  • Use Shodan/FOFA to identify exposed SiYuan publish-mode instances: shodan-query 'port:6808 "SiYuan"' and fofa-query 'title="SiYuan" && port="6808"'.
  • The vulnerable route is /assets/*path; the previously patched route /export/ does not cover this vector — ensure WAF rules cover both routes for SiYuan instances.
  • ·Vulnerability is only exploitable when SiYuan is running in publish mode (anonymous read-only HTTP endpoint); the default port is 6808. Instances not exposed in publish mode are not directly reachable by unauthenticated remote attackers.
  • ·Successful exploitation of conf/conf.json exposes the AccessAuthCode SHA256 hash, API token, and sync keys — enabling full authenticated API access to all notebooks even after patching the traversal if credentials are not rotated.
  • ·The Nuclei template is marked 'verified: false'; treat detection results as presumptive until confirmed against a live vulnerable instance.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.