CVE-2026-40318— SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40318
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
Source: NVD (National Vulnerability Database)
Vulnerability Description
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
路径遍历:’../filedir’
Source: NVD (National Vulnerability Database)
Vulnerability Title
SiYuan 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SiYuan是SiYuan开源的一个个人知识管理系统。 SiYuan 3.6.3及之前版本存在安全漏洞,该漏洞源于/api/av/removeUnusedAttributeView端点使用用户控制的id参数构造文件系统路径而未经验证或路径边界强制,攻击者可注入路径遍历序列以删除服务器上的任意.json文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| siyuan-note | siyuan | < 3.6.4 | - |
II. Public POCs for CVE-2026-40318
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40318
请登录查看更多情报信息。
Same Patch Batch · siyuan-note · 2026-04-16 · 4 CVEs total
| CVE-2026-40322 | 9.1 CRITICAL | SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE |
| CVE-2026-40259 | 8.1 HIGH | SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via removeUnusedAttribu |
| CVE-2026-40922 | SiYuan: Incomplete sanitization of bazaar README allows stored XSS via iframe srcdoc (inco |
IV. Related Vulnerabilities
Same product: siyuan
- CVE-2026-41894
SiYuan: Incomplete Fix Bypass for CVE-2026-30869: Path Trave - CVE-2026-41421
SiYuan Desktop Notification XSS Leads to Electron RCE - CVE-2026-40922
SiYuan: Incomplete sanitization of bazaar README allows stor - CVE-2026-40322
SiYuan: Mermaid `javascript:` Link Injection Leads to Stored - CVE-2026-40259
SiYuan: Publish Reader Can Arbitrarily Delete Attribute View
Same vendor: siyuan-note
- CVE-2026-41894
SiYuan: Incomplete Fix Bypass for CVE-2026-30869: Path Trave - CVE-2026-41421
SiYuan Desktop Notification XSS Leads to Electron RCE - CVE-2026-40922
SiYuan: Incomplete sanitization of bazaar README allows stor - CVE-2026-40322
SiYuan: Mermaid `javascript:` Link Injection Leads to Stored - CVE-2026-40259
SiYuan: Publish Reader Can Arbitrarily Delete Attribute View
V. Comments for CVE-2026-40318
No comments yet