High severityNVD Advisory· Published Mar 11, 2026· Updated Mar 12, 2026
SiYuan has a Full-Read SSRF via /api/network/forwardProxy
CVE-2026-32110
Description
SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services. This vulnerability is fixed in 3.6.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | < 3.6.0 | 3.6.0 |
Affected products
1- Range: < 3.6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-56cv-c5p2-j2wgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32110ghsaADVISORY
- github.com/siyuan-note/siyuan/security/advisories/GHSA-56cv-c5p2-j2wgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.