CVE-2026-40259HIGH 8.1EPSS p31.6%

CVE-2026-40259CVE-2026-40259

Description

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id directly to a model function that unconditionally deletes the corresponding attribute view file from the workspace without verifying that the caller has write privileges or that the target attribute view is actually unused. An authenticated publish-service reader can permanently delete arbitrary attribute view definitions by extracting publicly exposed data-av-id values from published content, causing breakage of database views and workspace rendering until manually restored. This issue has been fixed in version 3.6.4.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.40% probability of exploitation · percentile 31.6% · 2026-06-19T12:03:05Z
Published2026-04-16
Last modified2026-04-20

Underlying weaknesses· 1

CWE-285

References

  1. https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4
  2. https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7m5h-w69j-qggg
  3. https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7m5h-w69j-qggg

1

TypeTargetConfidenceTier
WeaknessImproper Authorizationcwe-2850%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40318
CVE
CVE-2026-32767
CVE
CVE-2026-29073
CVE
CVE-2026-30869
CVE
CVE-2026-32749
CVE
CVE-2025-21609
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.