Home / Vulnerability Intelligence / CVE-2026-40318

CVE-2026-40318 - Vulnerability Analysis

HighCVSS: 8.5

Last Updated: April 16, 2026

SiYuan - Path Traversal

Published: April 16, 2026Updated: April 16, 2026Remote Exploitable

Overview

SiYuan <= 3.6.3 contains a path traversal caused by lack of validation on the user-controlled id parameter in /api/av/removeUnusedAttributeView, letting attackers delete arbitrary .json files, exploit requires crafted id parameter.

Severity & Score

Severity: High

CVSS Score: 8.5

Impact

Attackers can delete arbitrary .json files on the server, including critical configuration and metadata files, causing data loss and service disruption.

Mitigation

Update to version 3.6.4 or later.

References

https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vw86-c94w-v3x4

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40318
Severity: High
CVSS Score: 8.5
Type: path_traversal
Status: new

CWE

CWE-24

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H