SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home
Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the IsSensitivePath() function in kernel/util/path.go uses a denylist approach that was recently expanded (GHSA-h5vh-m7fg-w5h6, commit 9914fd1) but remains incomplete. Multiple security-relevant Linux directories are not blocked, including /opt (application data), /usr (local configs/binaries), /home (other users), /mnt and /media (mounted volumes). The globalCopyFiles and importStdMd endpoints rely on IsSensitivePath as their primary defense against reading files outside the workspace. Version 3.6.2 contains an updated fix.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | < 3.6.2 | 3.6.2 |
Affected products
1- Range: < 3.6.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-vm69-h85x-8p85ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33194ghsaADVISORY
- github.com/siyuan-note/siyuan/security/advisories/GHSA-vm69-h85x-8p85ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.