SQL Injection Vulnerability in SiYuan Personal Knowledge Management System
CVE-2026-59834

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59834?

SiYuan, an open-source personal knowledge management system, has a vulnerability in prior versions to 3.7.1 that allows unauthenticated users to exploit the block search endpoint. Specifically, the endpoint POST /api/search/fullTextSearchBlock concatenates attacker-controlled path values into SQL predicates for non-SQL search operations. This flaw makes it possible for an attacker to perform a UNION SELECT injection and retrieve rows from hidden documents. The vulnerability is addressed in version 3.7.1.

Affected Version(s)

siyuan < 3.7.1

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.