Vulnerability Description
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| B3Log | Siyuan | < 3.6.4 |
Related Weaknesses (CWE)
References
- https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4Release Notes
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vw86-c94w-v3x4Third Party Advisory
FAQ
What is CVE-2026-40318?
CVE-2026-40318 is a vulnerability with a CVSS score of 8.5 (HIGH). SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id par...
How severe is CVE-2026-40318?
CVE-2026-40318 has been rated HIGH with a CVSS base score of 8.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40318?
Check the references section above for vendor advisories and patch information. Affected products include: B3Log Siyuan.