Description
SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's `/api/template/render` endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Version 3.1.16 contains a patch for the issue.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xx68-37v4-4596
Scores
CVSS v3
7.5
EPSS
0.0065
EPSS Percentile
70.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
b3log/siyuan
3.1.15
siyuan-note/siyuan
0Go
Published
Dec 12, 2024
Tracked Since
Feb 18, 2026