CVE-2026-40318HIGH 8.5EPSS p20.2%

CVE-2026-40318CVE-2026-40318

Description

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.

Scoring

CVSS 3.18.5 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
EPSS0.29% probability of exploitation · percentile 20.2% · 2026-06-19T12:03:05Z
Published2026-04-16
Last modified2026-04-20

Underlying weaknesses· 1

CWE-24

References

  1. https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4
  2. https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vw86-c94w-v3x4

1

TypeTargetConfidenceTier
WeaknessPath Traversal: '../filedir'cwe-240%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40259
CVE
CVE-2026-30869
CVE
CVE-2026-32749
CVE
CVE-2025-21609
CVE
CVE-2026-32767
CVE
CVE-2026-34448
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.