CVE-2026-54066
HighCVSS 7.5Exploitation Probability (EPSS)
High risk77th percentile — higher than 77% of all known CVEs
Summary
SiYuan is an open-source personal knowledge management system. In versions prior to 3.7.0, a vulnerability allowed an unauthenticated attacker to read arbitrary files in WorkspaceDir by double URL-encoding in the /assets/*path route.
Risk Assessment
An attacker could access sensitive data such as the AccessAuthCode hash, API token, and sync keys, posing a serious security risk to the organization.
Recommendation
It is recommended to upgrade SiYuan to version 3.7.0 or later to mitigate this vulnerability.
Original NVD description (English source)
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding") sanitized the /export/ route but the identical root cause remains in the /assets/*path route. In publish mode (anonymous read-only HTTP endpoint, default port 6808), an unauthenticated remote attacker can read arbitrary files inside WorkspaceDir — including conf/conf.json (which contains the AccessAuthCode SHA256 hash, API token, and sync keys), temp/siyuan.db, temp/blocktree.db, and siyuan.log — by double-URL-encoding .. segments. This vulnerability is fixed in 3.7.0.

