NIXPKGS-2026-0801

GitHub issue published on

Permalink CVE-2026-33670

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 1 week, 6 days ago by @LeSuisse Activity log

Created automatic suggestion 1 week, 6 days ago
@LeSuisse accepted 1 week, 6 days ago
@LeSuisse published on GitHub 1 week, 6 days ago

SiYuan has directory traversal within its publishing service

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook. Version 3.6.2 patches the issue.

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xmw9-6r43-x9ww x_refsource_CONFIRM

Affected products

siyuan

==< 3.6.2

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

nixos-unstable 3.6.1
- nixpkgs-unstable 3.6.0
- nixos-unstable-small 3.6.1
nixos-25.11 3.5.4
- nixos-25.11-small 3.5.4
- nixpkgs-25.11-darwin 3.5.4

Package maintainers

@TomaSajt TomaSajt
@L-Trump Luo Chen <ltrump@163.com>

Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xmw9-6r43-x9ww

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0801

References

Affected products

Matching in nixpkgs

pkgs.siyuan

Package maintainers