CVE-2026-32938
CRITICAL
GHSA-fq2j-j8hc-8vw8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H
Lifecycle Timeline
2Tags
Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files. This issue has been fixed in version 3.6.1.
Analysis
SiYuan personal knowledge management system versions 3.6.0 and below contain a path traversal vulnerability that allows authenticated attackers to exfiltrate arbitrary readable files from the system. An attacker with low-level privileges can exploit the /api/lute/html2BlockDOM endpoint to copy sensitive files to the workspace assets directory via malicious file:// links in pasted HTML, then retrieve them through the authenticated GET /assets/ endpoint. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all SiYuan deployments, document versions, and identify which systems contain sensitive data; disable or restrict access to the /api/lute/html2BlockDOM endpoint if technically feasible. Within 7 days: Implement network-level controls to limit SiYuan access to trusted users only; monitor /assets/ endpoint access logs for suspicious retrieval patterns; engage SiYuan vendor for patch timeline. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today