CVE-2026-29073
SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.
| CWE | CWE-862 CWE-89 |
| Vendor | siyuan-note |
| Product | siyuan |
| Published | Mar 6, 2026 |
| Last Updated | Mar 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for siyuan-note siyuan
Be the first to know when new unknown vulnerabilities affecting siyuan-note siyuan are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
siyuan-note / siyuan
< 3.6.0