Cyber Resilience

CVE-2026-32749

HighPublic PoC

Published: 19 March 2026

Published
19 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N
EPSS Score 0.0043 34.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32749 is a high-severity Path Traversal (CWE-22) vulnerability in B3Log Siyuan. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32749 is a path traversal vulnerability (CWE-22, CWE-73) affecting SiYuan, a personal knowledge management system, in versions 3.6.0 and below. The issue resides in the POST /api/import/importSY and POST /api/import/importZipMd endpoints, which write uploaded archives to paths derived directly from the multipart filename field without sanitization. This allows files to be placed in arbitrary locations outside the intended temporary directory, including sensitive system paths.

An authenticated administrator (PR:H) can exploit this vulnerability remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving a scope change (S:C). Successful exploitation enables arbitrary file writes, which can overwrite workspace or application files for data destruction, escalate to remote code execution (RCE) by targeting system paths, and fully compromise Docker containers running as root—a common default configuration. The CVSS v3.1 base score is 7.6, reflecting limited confidentiality impact (C:L), high integrity impact (I:H), and no availability impact (A:N).

The vulnerability has been addressed in SiYuan version 3.6.1. Security practitioners should upgrade to this patched release, as detailed in the GitHub security advisory (GHSA-qvvf-q994-x79v), release notes (v3.6.1), and fixing commit (5ee00907f0b0c4aca748ce21ef1977bb98178e14).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations…

more

outside the temp directory - including system paths that enable RCE. This can lead to aata destruction by overwriting workspace or application files, and for Docker containers running as root (common default), this grants full container compromise. This issue has been fixed in version 3.6.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Path traversal in web API endpoints enables exploitation of public-facing application (T1190). Arbitrary file writes facilitate data destruction via file overwrites (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33476Same product: B3Log Siyuan
CVE-2025-21609Same product: B3Log Siyuan
CVE-2026-40259Same product: B3Log Siyuan
CVE-2026-33670Same product: B3Log Siyuan
CVE-2026-23850Same product: B3Log Siyuan
CVE-2026-25992Same product: B3Log Siyuan
CVE-2026-30869Same product: B3Log Siyuan
CVE-2026-25539Same product: B3Log Siyuan
CVE-2026-32938Same product: B3Log Siyuan
CVE-2026-34605Same product: B3Log Siyuan

Affected Assets

b3log
siyuan
≤ 3.6.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal by requiring validation of uploaded multipart filenames to ensure they do not contain traversal sequences.

prevent

Requires timely remediation of the identified flaw through patching to version 3.6.1, eliminating the unsanitized path handling.

prevent

Limits damage from arbitrary file writes by enforcing least privilege on the application process, preventing overwrites to system paths even if traversal succeeds.

References