Vulnerability Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files. This issue has been fixed in version 3.6.1.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| B3Log | Siyuan | < 3.6.1 |
Related Weaknesses (CWE)
References
- https://github.com/siyuan-note/siyuan/commit/294b8b429dea152cd1df522cddf406054c1Patch
- https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1Release Notes
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fq2j-j8hc-8vw8ExploitVendor Advisory
FAQ
What is CVE-2026-32938?
CVE-2026-32938 is a vulnerability with a CVSS score of 9.9 (CRITICAL). SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspa...
How severe is CVE-2026-32938?
CVE-2026-32938 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-32938?
Check the references section above for vendor advisories and patch information. Affected products include: B3Log Siyuan.