Volerion logoVolerion
Volerion logoVolerion

SiYuan Path Traversal Vulnerability via Double URL Encoding Allowing Arbitrary File Read

Vulnerability

A path traversal vulnerability has been identified in SiYuan versions prior to 3.6.5. The issue arises from a redundant URL decoding operation in the 'serveExport' function, which can be exploited by authenticated attackers to access sensitive files. By using double URL encoding, attackers can traverse directories and read various workspace files, including the complete SQLite database, kernel log, and all user documents.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive files, including the full SQLite database, kernel log, and all user documents.

Reproduction

To reproduce this vulnerability, send a GET request to the '/export/' endpoint with double URL-encoded path traversal sequences. The Go HTTP server will decode the request, but the vulnerable application will misinterpret the decoded characters, allowing access to sensitive files.

Remediation

Users can upgrade to SiYuan version 3.6.5 to address this vulnerability.

Added: Apr 24, 2026, 8:52 PM
Updated: Apr 24, 2026, 8:52 PM

Vulnerability Rating

Custom Algorithm
spread
0.3
impact
2.5
exploitability
6.2
remediation
7.7
relevance
6.5
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.