VYPR
Get started
← All advisories
High severityNVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-41894

CVE-2026-41894

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause — a redundant url.PathUnescape() call in serveExport(). An authenticated attacker can use double URL encoding (%252e%252e) to traverse directories and read arbitrary workspace files including the full SQLite database (siyuan.db), kernel log, and all user documents. This vulnerability is fixed in 3.6.5.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/siyuan-note/siyuan/kernelGo
< 3.6.53.6.5

Affected products

1

Patches

1
bb481e1290c4

:lock: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hjh7-r5w8-5872

https://github.com/siyuan-note/siyuanDanielApr 19, 2026via ghsa
commit
2 files changed · +10 0
  • kernel/server/serve.go+5 0 modified
    @@ -319,6 +319,11 @@ func serveExport(ginServer *gin.Engine) {
 		}
 
 		fullPath := filepath.Join(exportBaseDir, decodedPath)
+		if !gulu.File.IsSubPath(exportBaseDir, fullPath) {
+			c.Status(http.StatusUnauthorized)
+			return
+		}
+
 		if util.IsSensitivePath(fullPath) {
 			logging.LogErrorf("refuse to export sensitive file [%s]", c.Request.URL.Path)
 			c.Status(http.StatusForbidden)
  • kernel/util/path.go+5 0 modified
    @@ -459,6 +459,11 @@ func IsSensitivePath(p string) bool {
 		return true
 	}
 
+	// *.db/*.log
+	if strings.HasSuffix(p, ".db") || strings.HasSuffix(p, ".log") {
+		return true
+	}
+
 	// 用户家目录下的敏感目录(小写比较)
 	homePrefixes := []string{
 		strings.ToLower(filepath.Join(HomeDir, ".ssh")),

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.