CVE-2026-33476
Published: 20 March 2026
Summary
CVE-2026-33476 is a high-severity Path Traversal (CWE-22) vulnerability in B3Log Siyuan. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of filepath inputs to block directory traversal attempts via improper path sanitization.
Mandates identification, authorization, and limitation of actions permitted without authentication, directly addressing the unauthenticated endpoint exclusion.
Enforces approved access authorizations at the application level to prevent unauthorized reading of arbitrary files accessible to the server process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote directory traversal in a public-facing endpoint directly enables T1190 (Exploit Public-Facing Application) for initial access; the resulting arbitrary file read capability directly facilitates T1005 (Data from Local System) collection of sensitive files readable by the server process.
NVD Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process.…
more
Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.
Deeper analysisAI
CVE-2026-33476 is a directory traversal vulnerability (CWE-22, CWE-73) affecting SiYuan, a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath`. Due to improper path sanitization, this endpoint allows attackers to perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, enabling exploitation without valid credentials.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction. Successful exploitation grants access to sensitive files readable by the server process, resulting in high confidentiality impact but no integrity or availability disruption.
SiYuan version 3.6.2 addresses this issue. Mitigation details are available in the GitHub security advisory GHSA-hhgj-gg9h-rjp7 and the fixing commit 009bb598b3beccc972aa5f1ed88b3b224326bf2a.
Details
- CWE(s)