CVE-2026-32750
MEDIUMSiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes
Title source: cnaDescription
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users. Data persists in the workspace database across restarts and is accessible to Publish Service Reader accounts. Combined with the renderSprig SQL injection ( separate advisory ), a non-admin user can then read all imported secrets without any additional privileges. This issue has been fixed in version 3.6.1.
Scores
CVSS v3
6.8
EPSS
0.0006
EPSS Percentile
18.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
CWE-552
Status
published
Products (2)
siyuan-note/siyuan
0Go
siyuan-note/siyuan
< 3.6.1
Published
Mar 19, 2026
Tracked Since
Mar 20, 2026