Primary

Context

SiYuan Note Arbitrary File Deletion Vulnerability

Vulnerability

Patched

An arbitrary file deletion vulnerability has been identified in SiYuan Note version 3.1.18. The issue arises in the 'POST /api/history/getDocHistoryContent' endpoint, where an attacker can send a crafted payload to delete arbitrary files on the server. This vulnerability has been patched in version 3.1.19.

Impact

Exploitation of this vulnerability allows for the arbitrary deletion of files on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/history/getDocHistoryContent' endpoint with a JSON payload containing the 'historyPath' parameter. Replace '<abs_filepath_of_a_file>' with the absolute path of the file intended for deletion. The request can be made using curl.

Remediation

Users can update to SiYuan Note version 3.1.19 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

2.5

exploitability

9.1

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

2.5

exploitability

9.1

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SiYuan Note Arbitrary File Deletion Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

SiYuan Note

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating