CVE-2026-40318 in SiYuan정보

요약

\~에 의해 MITRE • 2026. 04. 17.

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

책임이 있는

GitHub M

예약하다

2026. 04. 10.

공개

2026. 04. 17.

모더레이션

수락

항목

VDB-357986

CPE

준비됨

CWE

CWE-24 (확인됨)

CVSS

8.5 (CNA)

EPSS

0.00076

KEV

아니요

활동

매우 낮음

출처

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-40318
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-40318
CVE Details	https://www.cvedetails.com/cve/CVE-2026-40318/

◂ 이전 개요 다음 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!