Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.5.5
0.0.0-20260118092326-b2274baba2e1
CVE-2026-23850 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the SiYuan Kernel, the core component of the SiYuan note-taking application. This flaw allows an attacker to potentially read arbitrary files on the server. The vulnerability impacts versions of SiYuan Kernel prior to 0.0.0-20260118092326-b2274baba2e1. A patch has been released to address this issue.
The SSRF vulnerability in SiYuan Kernel allows an attacker to craft malicious requests that the server will execute, potentially accessing internal resources or sensitive data. An attacker could leverage this to read configuration files, database credentials, or other sensitive information stored on the server. Successful exploitation could lead to unauthorized access, data breaches, and potential compromise of the entire SiYuan application instance. The impact is amplified if the server is exposed to external networks, as it could be exploited remotely.
CVE-2026-23850 was publicly disclosed on 2026-02-03. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the SSRF nature of the vulnerability suggests that a PoC could be developed relatively easily.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
The primary mitigation for CVE-2026-23850 is to immediately upgrade SiYuan Kernel to version 0.0.0-20260118092326-b2274baba2e1 or later. If upgrading is not immediately feasible, consider implementing strict input validation and sanitization on all user-supplied URLs to prevent malicious requests. Web Application Firewalls (WAFs) configured to block suspicious outbound requests can also provide a temporary layer of protection. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked or handled safely.
Actualice SiYuan a la versión 3.5.4 o posterior. Esta versión corrige la vulnerabilidad de lectura arbitraria de archivos (LFD) causada por el renderizado HTML del lado del servidor sin restricciones en la función markdown. La actualización previene el acceso no autorizado a archivos sensibles en el sistema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23850 is a Server-Side Request Forgery (SSRF) vulnerability in the SiYuan Kernel, allowing attackers to potentially read arbitrary files on the server. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using SiYuan Kernel versions prior to 0.0.0-20260118092326-b2274baba2e1. Upgrade to the patched version to mitigate the risk.
Upgrade SiYuan Kernel to version 0.0.0-20260118092326-b2274baba2e1 or later. Implement input validation and consider using a WAF as temporary protection.
There is currently no indication of active exploitation campaigns, but the SSRF nature of the vulnerability makes it a potential target.
Refer to the official SiYuan project website or GitHub repository for the latest security advisories and updates related to CVE-2026-23850.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.