Sensitive Data Exposure in SiYuan Knowledge Management System
CVE-2026-59853

6.5MEDIUM

Key Information:

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59853?

The SiYuan personal knowledge management system has a vulnerability where the /api/storage/getCriteria endpoint can return sensitive search criteria without appropriate access controls. This allows users with publish-mode reader access to view private document paths, notebook IDs, and search functionality for unpublished documents. The issue was remedied in version 3.7.1, emphasizing the importance of rigorous access filtering across all endpoints.

Affected Version(s)

siyuan < 3.7.1

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.