Critical severityNVD Advisory· Published Mar 20, 2026· Updated Mar 20, 2026
SiYuan has an Arbitrary File Read in its Desktop Publish Service
CVE-2026-32938
Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files. This issue has been fixed in version 3.6.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | <= 0.0.0-20260313024916-fd6526133bb3 | — |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/siyuan-note/siyuan/kernelpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
<= 0.0.0-20260313024916-fd6526133bb3+ 1 more
- (no CPE)range: <= 0.0.0-20260313024916-fd6526133bb3
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
- Range: < 3.6.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-fq2j-j8hc-8vw8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32938ghsaADVISORY
- github.com/siyuan-note/siyuan/commit/294b8b429dea152cd1df522cddf406054c1619adghsax_refsource_MISCWEB
- github.com/siyuan-note/siyuan/releases/tag/v3.6.1ghsax_refsource_MISCWEB
- github.com/siyuan-note/siyuan/security/advisories/GHSA-fq2j-j8hc-8vw8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.