Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.5
SiYuan: Attacker Can Delete Arbitrary Files
GHSA-vw86-c94w-v3x4
CVE-2026-40318
Summary
An attacker with publish-reader access can delete any file in the SiYuan workspace by manipulating the URL to access files outside of the expected attribute view directory. This can lead to the loss of attribute view definitions, global workspace configuration, and other important data. To fix this, ensure that all users with publish-reader access are reviewed and privileges are adjusted accordingly.
What to do
- Update github.com siyuan-note to version 3.6.40.0.0-20260407035653-2f416e5253f1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| go | github.com | siyuan-note |
< 0.0.0-20260407035653-2f416e5253f1 Fix: upgrade to 3.6.40.0.0-20260407035653-2f416e5253f1
|
Original title
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id ...
Original description
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.
ghsa CVSS3.1
8.5
Vulnerability type
CWE-24
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 10 Apr 2026