GHSA-vw86-c94w-v3x4

Suggest an improvement
Source
https://github.com/advisories/GHSA-vw86-c94w-v3x4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-vw86-c94w-v3x4/GHSA-vw86-c94w-v3x4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vw86-c94w-v3x4
Aliases
  • CVE-2026-40318
Published
2026-04-10T19:32:12Z
Modified
2026-05-05T16:11:14.491020Z
Severity
  • 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H CVSS Calculator
Summary
SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
Details

Summary

The endpoint /api/av/removeUnusedAttributeView is vulnerable to a path traversal (CWE-22) that allows an attacker to delete arbitrary .json files on the server.

The issue arises because user-controlled input (id) is directly used in filesystem path construction without validation or restriction.

Access to this endpoint (e.g., via a Reader-role or publish context) is considered a precondition and not part of the vulnerability. The root cause is unsafe path handling.

Steps To Reproduce

  1. Ensure the target instance has the publish service enabled (or any valid access to the endpoint).
  2. Send the following request:
POST /api/av/removeUnusedAttributeView HTTP/1.1
Host: <target>
Content-Type: application/json

{
  "id": "../../../conf/conf"
}
  1. Observe that the request is accepted.
  2. The server resolves the path outside the intended directory and deletes the target file.

Impact

An attacker can delete arbitrary .json files within the workspace directory.

This may lead to:

  • Deletion of global configuration files (e.g., conf/conf.json)
  • Loss of user data and application state
  • Corruption of workspace metadata
  • Persistent application instability or forced recovery

This represents a server-side arbitrary file deletion primitive, which can have severe impact depending on the targeted files.

Technical Details

The vulnerable code constructs file paths as follows:

filepath.Join(util.DataDir, "storage", "av", id+".json")

Because id is not validated, attackers can inject path traversal sequences such as ../ to escape the intended directory.

Example payloads

  • ../localdata/storage/local.json
  • ../../storage/outlinedata/storage/outline.json
  • ../../../conf/confconf/conf.json

No validation or restriction is applied to:

  • input format
  • path normalization
  • directory boundaries

Root Cause

  • Untrusted user input (id) is directly used in filesystem path construction
  • No input validation or sanitization
  • No enforcement that the resolved path stays within the intended directory

Remediation

  1. Validate input strictly

    • Only allow valid Attribute View IDs
    • Reject any input containing path traversal sequences

  2. Enforce directory boundaries

base := filepath.Join(util.DataDir, "storage", "av")
absPath := filepath.Join(base, id+".json")

if !util.IsSubPath(base, absPath) {
    return error
}

  1. Normalize paths before use

    • Ensure canonical paths cannot escape the base directory

  2. Add additional logical checks

    • Verify that the target object is valid and allowed to be deleted
Database specific 
{
    "cwe_ids": [
        "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:32:12Z",
    "nvd_published_at": "2026-04-16T23:16:33Z",
    "severity": "HIGH"
}
References

Affected packages

Go / github.com/siyuan-note/siyuan/kernel

Package

Name
github.com/siyuan-note/siyuan/kernel
View open source insights on deps.dev
Purl
pkg:golang/github.com/siyuan-note/siyuan/kernel

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.40.0.0-20260407035653-2f416e5253f1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-vw86-c94w-v3x4/GHSA-vw86-c94w-v3x4.json"
last_known_affected_version_range 
"< 0.0.0-20260407035653-2f416e5253f1"