CVE-2026-32749
Published: 19 March 2026
Summary
CVE-2026-32749 is a high-severity Path Traversal (CWE-22) vulnerability in B3Log Siyuan. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates path traversal by requiring validation of uploaded multipart filenames to ensure they do not contain traversal sequences.
Requires timely remediation of the identified flaw through patching to version 3.6.1, eliminating the unsanitized path handling.
Limits damage from arbitrary file writes by enforcing least privilege on the application process, preventing overwrites to system paths even if traversal succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in web API endpoints enables exploitation of public-facing application (T1190). Arbitrary file writes facilitate data destruction via file overwrites (T1485).
NVD Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations…
more
outside the temp directory - including system paths that enable RCE. This can lead to aata destruction by overwriting workspace or application files, and for Docker containers running as root (common default), this grants full container compromise. This issue has been fixed in version 3.6.1.
Deeper analysisAI
CVE-2026-32749 is a path traversal vulnerability (CWE-22, CWE-73) affecting SiYuan, a personal knowledge management system, in versions 3.6.0 and below. The issue resides in the POST /api/import/importSY and POST /api/import/importZipMd endpoints, which write uploaded archives to paths derived directly from the multipart filename field without sanitization. This allows files to be placed in arbitrary locations outside the intended temporary directory, including sensitive system paths.
An authenticated administrator (PR:H) can exploit this vulnerability remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving a scope change (S:C). Successful exploitation enables arbitrary file writes, which can overwrite workspace or application files for data destruction, escalate to remote code execution (RCE) by targeting system paths, and fully compromise Docker containers running as root—a common default configuration. The CVSS v3.1 base score is 7.6, reflecting limited confidentiality impact (C:L), high integrity impact (I:H), and no availability impact (A:N).
The vulnerability has been addressed in SiYuan version 3.6.1. Security practitioners should upgrade to this patched release, as detailed in the GitHub security advisory (GHSA-qvvf-q994-x79v), release notes (v3.6.1), and fixing commit (5ee00907f0b0c4aca748ce21ef1977bb98178e14).
Details
- CWE(s)