CVE-2026-30869

CVE-2026-30869 is a path traversal vulnerability (CWE-22) affecting SiYuan, a personal knowledge management system, in versions prior to 3.5.10. The issue resides in the /export endpoint, which fails to properly sanitize inputs, allowing attackers to exploit double-encoded traversal sequences such as "../" to read arbitrary files from the server filesystem. This includes sensitive configuration files like conf/conf.json, which stores critical secrets such as the API token, cookie signing key, and workspace access authentication code. The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating high severity due to its network accessibility, low complexity, and lack of prerequisites.

Any unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the /export endpoint. Successful exploitation enables the disclosure of sensitive files and secrets, potentially granting administrative access to the SiYuan kernel API. In certain deployment configurations, these leaked credentials could be chained with other flaws to achieve remote code execution (RCE), amplifying the impact beyond mere information disclosure.

The vulnerability is fixed in SiYuan version 3.5.10, as detailed in the GitHub Security Advisory GHSA-2h2p-mvfx-868w. Security practitioners should upgrade to the patched version immediately and review access logs for exploitation attempts involving double-encoded path traversal payloads.