Home / Vulnerability Intelligence / CVE-2026-33476

CVE-2026-33476 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: March 23, 2026

SiYuan - Path Traversal

Published: March 20, 2026Updated: March 23, 2026PoC AvailableRemote Exploitable

Overview

SiYuan < 3.6.2 contains a path traversal caused by improper path sanitization in the /appearance/*filepath endpoint, letting unauthenticated attackers read arbitrary files accessible to the server process, exploit requires no authentication.

Severity & Score

Severity: High

CVSS Score: 7.5

EPSS Score: 88.7%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can read arbitrary files accessible to the server, potentially exposing sensitive information.

Mitigation

Update to version 3.6.2 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 21, 2026

🟠 CVE-2026-33476 - High (7.5) SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversa... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33476/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33476
Severity: High
CVSS Score: 7.5
Type: path_traversal
Status: confirmed
EPSS: 88.7%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

88.7%Probability of exploitation in the next 30 days