Remote Code Execution Risk in SiYuan Personal Knowledge Management System
CVE-2026-32749

7.6HIGH

Key Information:

Vendor

Siyuan-note

Status
Siyuan
Vendor
CVE Published:
19 March 2026

What is CVE-2026-32749?

In versions of the SiYuan personal knowledge management system up to 3.6.0, a vulnerability exists that allows an administrator to upload archives via the API without proper sanitization. This oversight permits the writing of files to arbitrary paths, potentially outside of the designated temporary directory. As a result, this could lead to data loss through the overwriting of critical application files and provides an avenue for remote code execution. This is particularly concerning in Docker container environments running with root privileges, where exploitation could lead to total container compromise. The issue has been addressed in version 3.6.1.

Affected Version(s)

siyuan < 3.6.1

References

https://github.com/siyuan-note/siyuan/security/advisories...
x_refsource_CONFIRM
https://github.com/siyuan-note/siyuan/commit/5ee00907f0b0...
x_refsource_MISC
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1
x_refsource_MISC

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.