CVE-2026-32938

moderate-risk

Published 2026-03-20

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files. This issue has been fixed in version 3.6.1.

Do I need to act?

0.22% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 294b8b429dea152cd1df522cddf406054c1619ad, fe4523fff2c84d6b06856331e735cc2938c2c5b0

CVSS 9.9/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Siyuan

Affected Vendors

B3Log

References (3)

Patch https://github.com/siyuan-note/siyuan/commit/294b8b429dea152cd1df522cddf406054c1...

Release Notes https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1

Exploit https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fq2j-j8hc-8vw8

/ 100

moderate-risk

Severity 33/34 · Critical

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal