Path Traversal Vulnerability in SiYuan Personal Knowledge Management System
CVE-2026-32938

9.9CRITICAL

Key Information:

Vendor

Siyuan-note

Status
Siyuan
Vendor
CVE Published:
20 March 2026

What is CVE-2026-32938?

The SiYuan personal knowledge management system is vulnerable to a path traversal issue that arises from improper validation of file paths in the /api/lute/html2BlockDOM endpoint. In versions up to 3.6.0, users can paste HTML containing file:// links pointing to local files, enabling unauthorized access to sensitive files stored on the system's assets directory. This vulnerability is particularly concerning as it allows authenticated users of the publish-service to copy and read any sensitive files without adequate checks in place. The issue has been addressed in version 3.6.1.

Affected Version(s)

siyuan < 3.6.1

References

https://github.com/siyuan-note/siyuan/security/advisories...
x_refsource_CONFIRM
https://github.com/siyuan-note/siyuan/commit/294b8b429dea...
x_refsource_MISC
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1
x_refsource_MISC

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.