GHSA-hjh7-r5w8-5872: SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869)
The fix for CVE-2026-30869 in SiYuan v3.5.10 only added a denylist check (IsSensitivePath) but did not address the root cause — a redundant url.PathUnescape() call in serveExport(). An authenticated attacker can use double URL encoding (%252e%252e) to traverse directories and read arbitrary workspace files including the full SQLite database (siyuan.db), kernel log, and all user documents.
References
- github.com/advisories/GHSA-2h2p-mvfx-868w
- github.com/advisories/GHSA-hjh7-r5w8-5872
- github.com/siyuan-note/siyuan
- github.com/siyuan-note/siyuan/commit/bb481e1290c4a34255652ede85a546504505d2a7
- github.com/siyuan-note/siyuan/releases/tag/v3.6.5
- github.com/siyuan-note/siyuan/security/advisories/GHSA-hjh7-r5w8-5872
Code Behaviors & Features
Detect and mitigate GHSA-hjh7-r5w8-5872 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →