Home

Description

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files. This issue has been fixed in version 3.6.1.

PUBLISHED Reserved 2026-03-17 | Published 2026-03-20 | Updated 2026-03-20 | Assigner GitHub_M




CRITICAL: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-284: Improper Access Control

Product status

< 3.6.1
affected

References

github.com/...siyuan/security/advisories/GHSA-fq2j-j8hc-8vw8

github.com/...ommit/294b8b429dea152cd1df522cddf406054c1619ad

github.com/siyuan-note/siyuan/releases/tag/v3.6.1

cve.org (CVE-2026-32938)

nvd.nist.gov (CVE-2026-32938)

Download JSON