CVE-2026-33194 - Vulnerability Analysis
MediumCVSS: 6.8Last Updated: March 23, 2026
SiYuan - Path Traversal
Published: March 20, 2026Updated: March 23, 2026PoC AvailableRemote Exploitable
Overview
SiYuan < 3.6.2 contains a path traversal caused by incomplete denylist in IsSensitivePath function, letting attackers read files outside workspace via globalCopyFiles and importStdMd endpoints, exploit requires no special privileges.
Severity & Score
Severity: Medium
CVSS Score: 6.8
Impact
Attackers can read sensitive files outside the workspace, potentially exposing confidential data.
Mitigation
Update to version 3.6.2 or later.
Related Resources
Details
- CVE ID
- CVE-2026-33194
- Severity
- Medium
- CVSS Score
- 6.8
- Type
- path_traversal
- Status
- confirmed
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N