CVE-2026-32938
SiYuan has an Arbitrary File Read in its Desktop Publish Service
CVSS Score
9.9
EPSS Score
0.1%
EPSS Percentile
25th
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files. This issue has been fixed in version 3.6.1.
| CWE | CWE-22 CWE-200 CWE-284 |
| Vendor | siyuan-note |
| Product | siyuan |
| Published | Mar 20, 2026 |
| Last Updated | Mar 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for siyuan-note siyuan
Be the first to know when new critical vulnerabilities affecting siyuan-note siyuan are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
High
Affected Versions
siyuan-note / siyuan
< 3.6.1