CVE-2026-32938
CRITICALSiYuan <3.6.1 Desktop Publish Service - Arbitrary File Read
Title source: manualDescription
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files. This issue has been fixed in version 3.6.1.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fq2j-j8hc-8vw8
X_Refsource_Misc x_refsource_misc
https://github.com/siyuan-note/siyuan/commit/294b8b429dea152cd1df522cddf406054c1619ad
X_Refsource_Misc x_refsource_misc
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1
Scores
CVSS v3
9.9
EPSS
0.0041
EPSS Percentile
32.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
CWE-284
CWE-200
Status
published
Products (2)
siyuan-note/siyuan
0Go
siyuan-note/siyuan
< 3.6.1
Published
Mar 20, 2026
Tracked Since
Mar 20, 2026