SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home
Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the IsSensitivePath() function in kernel/util/path.go uses a denylist approach that was recently expanded (GHSA-h5vh-m7fg-w5h6, commit 9914fd1) but remains incomplete. Multiple security-relevant Linux directories are not blocked, including /opt (application data), /usr (local configs/binaries), /home (other users), /mnt and /media (mounted volumes). The globalCopyFiles and importStdMd endpoints rely on IsSensitivePath as their primary defense against reading files outside the workspace. Version 3.6.2 contains an updated fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | < 3.6.2 | 3.6.2 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/siyuan-note/siyuan/kernelpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 3.6.2+ 1 more
- (no CPE)range: < 3.6.2
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
- Range: < 3.6.2
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-vm69-h85x-8p85ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33194ghsaADVISORY
- github.com/siyuan-note/siyuan/security/advisories/GHSA-vm69-h85x-8p85ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.