Skip to main content

Suse CVE-2026-32938

CRITICAL
Path Traversal (CWE-22)
2026-03-20 security-advisories@github.com GHSA-fq2j-j8hc-8vw8
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H
SUSE
CRITICAL
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 04:16 nvd
CRITICAL 9.9

DescriptionGitHub Advisory

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files. This issue has been fixed in version 3.6.1.

AnalysisAI

SiYuan personal knowledge management system versions 3.6.0 and below contain a path traversal vulnerability that allows authenticated attackers to exfiltrate arbitrary readable files from the system. An attacker with low-level privileges can exploit the /api/lute/html2BlockDOM endpoint to copy sensitive files to the workspace assets directory via malicious file:// links in pasted HTML, then retrieve them through the authenticated GET /assets/ endpoint. This is a critical vulnerability with a CVSS score of 9.9 due to its potential for high confidentiality impact and scope change, though no active exploitation (KEV) or public proof-of-concept has been documented.

Technical ContextAI

SiYuan is a privacy-first personal knowledge management system that processes HTML input through a /api/lute/html2BlockDOM endpoint. The vulnerability stems from inadequate path validation (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) when processing file:// URI schemes embedded in pasted HTML content. The desktop application's kernel fails to sanitize or validate paths against a sensitive-path allowlist before copying files into the workspace assets directory. This allows traversal outside intended directories, enabling access to system files, SSH keys, configuration files, or other sensitive data accessible to the application's process. The affected component is the Lute HTML-to-block conversion library integrated into SiYuan's desktop kernel.

RemediationAI

Upgrade SiYuan to version 3.6.1 or later, which contains the fix for this path traversal vulnerability as documented in the release notes at https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1. The specific remediation commit is available at https://github.com/siyuan-note/siyuan/commit/294b8b429dea152cd1df522cddf406054c1619ad for technical review. Until patching is completed, organizations should restrict authenticated access to trusted users only, implement network-level access controls to limit who can reach SiYuan instances, and monitor the assets directory for unexpected file creation. Consider disabling or restricting the publish-service feature if not operationally required, as visitor access expands the attack surface. Review file system permissions to ensure the SiYuan process runs with minimal privileges necessary to limit the scope of readable sensitive files.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-32938 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy