Cyber Resilience

CVE-2026-40318

High

Published: 16 April 2026

Published
16 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
EPSS Score 0.0029 20.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40318 is a high-severity Path Traversal: '../filedir' (CWE-24) vulnerability in B3Log Siyuan. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-40318 is a path traversal vulnerability (CWE-24) in SiYuan, an open-source personal knowledge management system. The issue affects versions 3.6.3 and prior, where the /api/av/removeUnusedAttributeView endpoint constructs filesystem paths using a user-controlled id parameter without validation or path boundary checks. This allows attackers to inject traversal sequences like ../ to access and delete files outside the intended directory, targeting arbitrary .json files such as global configuration files and workspace metadata. The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H).

An authenticated attacker with low privileges (PR:L) can exploit this over the network with low complexity and no user interaction required. By crafting a malicious id parameter in requests to the endpoint, they can traverse directories and delete critical .json files, potentially disrupting system configuration, workspace data, and overall availability, while achieving low integrity impact through unauthorized deletions.

The vulnerability has been addressed in SiYuan version 3.6.4. Security practitioners should upgrade to this patched release, as detailed in the project's release notes (https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4) and GitHub Security Advisory (https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vw86-c94w-v3x4).

EU & UK References

Vulnerability details

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as…

more

../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Path traversal in the API endpoint directly enables unauthorized deletion of arbitrary .json files (T1070.004), which can be leveraged to destroy critical configuration and metadata for availability impact (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40259Same product: B3Log Siyuan
CVE-2026-32749Same product: B3Log Siyuan
CVE-2025-21609Same product: B3Log Siyuan
CVE-2026-32767Same product: B3Log Siyuan
CVE-2026-29073Same product: B3Log Siyuan
CVE-2026-34585Same product: B3Log Siyuan
CVE-2026-34605Same product: B3Log Siyuan
CVE-2026-33670Same product: B3Log Siyuan
CVE-2026-23850Same product: B3Log Siyuan
CVE-2026-34448Same product: B3Log Siyuan

Affected Assets

b3log
siyuan
≤ 3.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the user-controlled 'id' parameter to prevent injection of path traversal sequences like '../' during filesystem path construction.

prevent

Enforces access control policies to restrict low-privilege users from deleting arbitrary files outside the intended directory, mitigating the impact of successful path traversal.

detect

Generates audit records for file deletion events on the /api/av/removeUnusedAttributeView endpoint, enabling detection of unauthorized removals of critical .json files.

References