{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40318", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T21:41:54.505Z", "datePublished": "2026-04-16T22:54:47.881Z", "dateUpdated": "2026-04-16T22:54:47.881Z"}, "containers": {"cna": {"title": "SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`", "problemTypes": [{"descriptions": [{"cweId": "CWE-24", "lang": "en", "description": "CWE-24: Path Traversal: '../filedir'", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vw86-c94w-v3x4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vw86-c94w-v3x4"}, {"name": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4"}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"version": "< 3.6.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T22:54:47.881Z"}, "descriptions": [{"lang": "en", "value": "SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4."}], "source": {"advisory": "GHSA-vw86-c94w-v3x4", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4."}], "id": "CVE-2026-40318", "lastModified": "2026-04-16T23:16:33.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-16T23:16:33.590", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vw86-c94w-v3x4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-24"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.4)"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "siyuan", "source": "cna", "vendor": "siyuan-note"}, "product": "siyuan", "vendor": "siyuan"}], "analysis": {"en": {"generated_at": "2026-04-17T02:22:21.674444+00:00", "value": {"mitigation_remediation": ["Upgrade SiYuan to version 3.6.4 or later, where the path handling is corrected.", "Disallow or disable the /api/av/removeUnusedAttributeView endpoint until an upgrade is performed, to prevent unauthorized or unauthenticated requests.", "Implement input validation or directory boundary checks on the id parameter to ensure path traversal sequences cannot be used to reference files outside the intended directory."], "summary": {"action": "Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "Siyuan Note \u2013 SiYuan personal knowledge management system. Affected releases are 3.6.3 and earlier. The issue has been fixed starting with version 3.6.4.", "description_and_impact": "The vulnerability exists in the /api/av/removeUnusedAttributeView endpoint of the SiYuan application. The endpoint concatenates a user\u2011controlled id parameter directly into a file path, without any bounds checking or validation, allowing a malformed id that contains path traversal characters to escape the intended directory. An attacker who can supply such an id can delete arbitrary JSON files on the server, including global configuration files and workspace metadata. The resulting data loss or misconfiguration can lead to application disruption or inconsistent user state, and in worst\u2011case scenarios may allow an attacker to erase critical notes or workspace metadata.", "risk_and_exploitability": "The CVSS score of 8.5 classifies the flaw as High severity. No EPSS score is publicly available, and the vulnerability is not yet listed in the CISA KEV catalog. The attack requires that the attacker be able to send requests to the mentioned API endpoint, which typically means having a valid authentication token or remaining sessions. When the attack is successful, the victim\u2019s server is able to delete critical configuration files, potentially causing downtime or loss of user data. The flaw is remotely exploitable by sending crafted HTTP requests, meaning it can be triggered without gaining local access to the host."}}}}, "created": "2026-04-17T02:30:07.311523+00:00", "updated": "2026-04-17T08:00:10.878750+00:00", "vendors": ["siyuan", "siyuan$PRODUCT$siyuan"]}