CVE-2026-40318

High

Published: 16 April 2026

Published

16 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

EPSS Score 0.0007 20.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40318 is a high-severity Path Traversal: '../filedir' (CWE-24) vulnerability in B3Log Siyuan. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 20.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to File Deletion (T1070.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of the user-controlled 'id' parameter to prevent injection of path traversal sequences like '../' during filesystem path construction.

AC-3 Access Enforcement partial match

prevent

Enforces access control policies to restrict low-privilege users from deleting arbitrary files outside the intended directory, mitigating the impact of successful path traversal.

AU-12 Audit Record Generation partial match

detect

Generates audit records for file deletion events on the /api/av/removeUnusedAttributeView endpoint, enabling detection of unauthorized removals of critical .json files.

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Path traversal in the API endpoint directly enables unauthorized deletion of arbitrary .json files (T1070.004), which can be leveraged to destroy critical configuration and metadata for availability impact (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as…

../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.

Deeper analysisAI

CVE-2026-40318 is a path traversal vulnerability (CWE-24) in SiYuan, an open-source personal knowledge management system. The issue affects versions 3.6.3 and prior, where the /api/av/removeUnusedAttributeView endpoint constructs filesystem paths using a user-controlled id parameter without validation or path boundary checks. This allows attackers to inject traversal sequences like ../ to access and delete files outside the intended directory, targeting arbitrary .json files such as global configuration files and workspace metadata. The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H).

An authenticated attacker with low privileges (PR:L) can exploit this over the network with low complexity and no user interaction required. By crafting a malicious id parameter in requests to the endpoint, they can traverse directories and delete critical .json files, potentially disrupting system configuration, workspace data, and overall availability, while achieving low integrity impact through unauthorized deletions.

The vulnerability has been addressed in SiYuan version 3.6.4. Security practitioners should upgrade to this patched release, as detailed in the project's release notes (https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4) and GitHub Security Advisory (https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vw86-c94w-v3x4).

Details

CWE(s): CWE-24

Affected Products

b3log

siyuan

≤ 3.6.4

CVEs Like This One

CVE-2025-21609Same product: B3Log Siyuan

CVE-2026-32749Same product: B3Log Siyuan

CVE-2026-40259Same product: B3Log Siyuan

CVE-2026-32767Same product: B3Log Siyuan

CVE-2026-29073Same product: B3Log Siyuan

CVE-2026-32110Same product: B3Log Siyuan

CVE-2026-23852Same product: B3Log Siyuan

CVE-2026-30869Same product: B3Log Siyuan

CVE-2026-32940Same product: B3Log Siyuan

CVE-2026-25992Same product: B3Log Siyuan

References

https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4
Release Notes · security-advisories@github.com
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vw86-c94w-v3x4
Third Party Advisory · security-advisories@github.com