CVE-2026-40318 HIGH

CVE-2026-40318: SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`

Vendor Siyuan-Note
Product siyuan
Weakness CWE-24
Published April 16, 2026
Last update April 18, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

What the vulnerability does

01Description

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.

Key dates

02Disclosure timeline

April 16, 2026 CVE published
April 18, 2026 Record updated