GHSA-vw86-c94w-v3x4 · Severity: high · Ecosystem: go — SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.
Conclusion & alert: CVE-2026-40318 is rated Moderate Risk (40.4/100): CVSS High severity, with low exploitation likelihood (EPSS 0.06%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-04-17 | — | 0.06% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.5 | 3.1 | HIGH |
|
3.1 | 4.7 | [email protected] |
GHSA-vw86-c94w-v3x4 · Severity: high · Ecosystem: go — SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
| URL | Tags |
|---|---|
| https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4 | Release Notes |
| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vw86-c94w-v3x4 | Third Party Advisory |