CVE-2026-59832 in SiYuaninfo

Summary

by MITRE • 07/10/2026

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the /snippets/*filepath route handler serveSnippets in kernel/server/serve.go joins a single-decoded request path with the snippets directory without subpath containment or sensitive-path checks, allowing an authenticated request such as /snippets/%2e%2e/%2e%2e/conf/conf.json to read workspace secrets and the document database. This issue is fixed in versions 3.7.1.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in SiYuan knowledge management system represents a critical path traversal flaw that enables authenticated users to access sensitive system files through improper input validation in the snippets route handler. The issue exists in the serveSnippets function within kernel/server/serve.go where the application fails to implement proper subpath containment checks when processing user-supplied file paths. This weakness allows attackers to manipulate URL-encoded path sequences such as %2e%2e which decode to double dots representing parent directory navigation, thereby bypassing intended security boundaries.

The technical exploitation occurs through the improper joining of a single-decoded request path with the snippets directory without validating that the resulting path remains within the designated boundaries. When an authenticated user submits a crafted request like /snippets/%2e%2e/%2e%2e/conf/conf.json, the system processes this as a legitimate file access attempt while actually traversing multiple parent directories to reach critical configuration files and database resources. This vulnerability falls under CWE-22 Path Traversal and aligns with ATT&CK technique T1059 Command and Scripting Interpreter for lateral movement and information gathering activities.

The operational impact of this vulnerability is severe as it provides attackers with access to workspace secrets, database contents, and configuration files that could contain sensitive credentials, user data, or system configurations. An authenticated attacker can leverage this flaw to extract confidential information from the knowledge management system, potentially leading to further compromise of the underlying infrastructure. The vulnerability affects all versions prior to 3.7.1 and represents a failure in input sanitization and path validation controls that should prevent arbitrary file access patterns.

Mitigation strategies include implementing proper subpath containment checks that validate all user-supplied paths against the intended directory boundaries before processing file operations. The system should normalize and sanitize all input paths, reject any attempts to traverse parent directories beyond allowed boundaries, and enforce strict access controls for sensitive system files. Additionally, implementing robust path validation routines that check for encoded sequences and ensure all file operations occur within designated safe directories will prevent similar vulnerabilities from occurring in future releases of the software.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!