NIXPKGS-2026-0703

GitHub issue published on

Permalink CVE-2026-33476

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

updated 2 weeks, 3 days ago by @LeSuisse Activity log

Created automatic suggestion 2 weeks, 5 days ago
@LeSuisse accepted 2 weeks, 3 days ago
@LeSuisse published on GitHub 2 weeks, 3 days ago

SiYuan has an Unauthenticated Arbitrary File Read via Path Traversal

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7 x_refsource_CONFIRM
https://github.com/siyuan-note/siyuan/commit/009bb598b3beccc972aa5f1ed88b3b224326bf2a x_refsource_MISC

Affected products

siyuan

==< 3.6.2

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

nixos-unstable 3.5.10
- nixpkgs-unstable 3.5.10
- nixos-unstable-small 3.5.10
nixos-25.11 3.5.4
- nixos-25.11-small 3.5.4
- nixpkgs-25.11-darwin 3.5.4

Package maintainers

@TomaSajt TomaSajt
@L-Trump Luo Chen <ltrump@163.com>

Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7
Upstream patch: https://github.com/siyuan-note/siyuan/commit/009bb598b3beccc972aa5f1ed88b3b224326bf2a

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0703

References

Affected products

Matching in nixpkgs

pkgs.siyuan

Package maintainers