3 matches found
PT-2026-52107
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 "Path Traversal via Double URL Encoding" sanitized the /export/ route but the identical root cause remains in the /assets/path route. In publish mode anonymous read-only HTTP endpoint,...
CVE-2026-41894 SiYuan: Incomplete Fix Bypass for CVE-2026-30869: Path Traversal via Double URL Encoding in `/export/` Endpoint
SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check IsSensitivePath but did not address the root cause — a redundant url.PathUnescape call in serveExport. An authenticated attacker can use double URL encoding...
CVE-2026-41894
creationtimestamp| type| source ---|---|--- 2026-04-19 09:48:52+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hjh7-r5w8-5872 2026-06-24 23:00:38+00:00| seen| https://bsky.app/profile/euvd-bot.bsky.social/post/3mp2zg2oftg2u...