CVE-2026-30869
Published: 10 March 2026
Summary
CVE-2026-30869 is a critical-severity Path Traversal (CWE-22) vulnerability in B3Log Siyuan. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of inputs to the /export endpoint to block double-encoded path traversal sequences like '../', directly preventing arbitrary file reads.
Mandates timely flaw remediation by patching to SiYuan version 3.5.10, eliminating the vulnerable code in the /export endpoint.
Enables monitoring for unauthorized disclosure of sensitive files such as conf/conf.json containing API tokens and secrets via crafted /export requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing /export endpoint (T1190) enables arbitrary file reads from local filesystem (T1005), including config files with secrets like API tokens (T1552.001).
NVD Description
SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double‑encoded traversal sequences, an attacker can access sensitive files…
more
such as conf/conf.json, which contains secrets including the API token, cookie signing key, and workspace access authentication code. Leaking these secrets may enable administrative access to the SiYuan kernel API, and in certain deployment scenarios could potentially be chained into remote code execution (RCE). This vulnerability is fixed in 3.5.10.
Deeper analysisAI
CVE-2026-30869 is a path traversal vulnerability (CWE-22) affecting SiYuan, a personal knowledge management system, in versions prior to 3.5.10. The issue resides in the /export endpoint, which fails to properly sanitize inputs, allowing attackers to exploit double-encoded traversal sequences such as "../" to read arbitrary files from the server filesystem. This includes sensitive configuration files like conf/conf.json, which stores critical secrets such as the API token, cookie signing key, and workspace access authentication code. The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating high severity due to its network accessibility, low complexity, and lack of prerequisites.
Any unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the /export endpoint. Successful exploitation enables the disclosure of sensitive files and secrets, potentially granting administrative access to the SiYuan kernel API. In certain deployment configurations, these leaked credentials could be chained with other flaws to achieve remote code execution (RCE), amplifying the impact beyond mere information disclosure.
The vulnerability is fixed in SiYuan version 3.5.10, as detailed in the GitHub Security Advisory GHSA-2h2p-mvfx-868w. Security practitioners should upgrade to the patched version immediately and review access logs for exploitation attempts involving double-encoded path traversal payloads.
Details
- CWE(s)