High severityNVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026
CVE-2026-41894
CVE-2026-41894
Description
SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause — a redundant url.PathUnescape() call in serveExport(). An authenticated attacker can use double URL encoding (%252e%252e) to traverse directories and read arbitrary workspace files including the full SQLite database (siyuan.db), kernel log, and all user documents. This vulnerability is fixed in 3.6.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | < 3.6.5 | 3.6.5 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-2h2p-mvfx-868wghsaADVISORY
- github.com/advisories/GHSA-hjh7-r5w8-5872ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41894ghsaADVISORY
- github.com/siyuan-note/siyuan/commit/bb481e1290c4a34255652ede85a546504505d2a7nvdWEB
- github.com/siyuan-note/siyuan/releases/tag/v3.6.5nvdWEB
- github.com/siyuan-note/siyuan/security/advisories/GHSA-hjh7-r5w8-5872nvdWEB
News mentions
0No linked articles in our index yet.