CVE-2026-32938
CRITICALSiYuan has an Arbitrary File Read in its Desktop Publish Service
Title source: cnaDescription
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files. This issue has been fixed in version 3.6.1.
Scores
CVSS v3
9.9
EPSS
0.0025
EPSS Percentile
48.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
CWE-284
CWE-200
Status
published
Products (2)
siyuan-note/siyuan
0Go
siyuan-note/siyuan
< 3.6.1
Published
Mar 20, 2026
Tracked Since
Mar 20, 2026