Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.5.5
0.0.0-20260118092521-f8f4b517077b
CVE-2026-23851 describes an Arbitrary File Access vulnerability discovered in the SiYuan kernel, a core component of the SiYuan note-taking application. This vulnerability allows an attacker to read arbitrary files from the system, potentially exposing sensitive data. The vulnerability affects versions of SiYuan prior to 0.0.0-20260118092521-f8f4b517077b. A patch has been released to address this issue.
Successful exploitation of CVE-2026-23851 allows an attacker to read any file accessible to the SiYuan process. This includes configuration files, potentially containing database credentials or API keys, as well as user data and other sensitive information stored on the system. The impact is significant as it could lead to data breaches, privilege escalation, and further compromise of the affected system. The ability to read arbitrary files bypasses typical access controls, making it a particularly dangerous vulnerability.
CVE-2026-23851 was publicly disclosed on 2026-02-03. The vulnerability's impact stems from a flaw in the file copy functionality within the SiYuan kernel. No public proof-of-concept exploits are currently known, but the ease of arbitrary file read suggests a potential for rapid exploitation if a PoC is developed. The vulnerability is not currently listed on CISA KEV.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
The primary mitigation for CVE-2026-23851 is to upgrade SiYuan to version 0.0.0-20260118092521-f8f4b517077b or later. If immediate upgrading is not possible, consider restricting file system access for the SiYuan process to only necessary directories. Implement strict input validation and sanitization to prevent malicious file paths from being processed. Monitor system logs for unusual file access patterns that might indicate exploitation attempts.
Actualice SiYuan a la versión 3.5.4 o posterior. Esta versión corrige la vulnerabilidad de lectura arbitraria de archivos al validar correctamente las rutas de los archivos copiados.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23851 is a HIGH severity vulnerability in the SiYuan kernel allowing attackers to read arbitrary files. It affects versions before 0.0.0-20260118092521-f8f4b517077b.
You are affected if you are using SiYuan kernel versions prior to 0.0.0-20260118092521-f8f4b517077b. Check your version and upgrade immediately.
Upgrade SiYuan to version 0.0.0-20260118092521-f8f4b517077b or later. If upgrading is not immediately possible, restrict file system access for the SiYuan process.
There are currently no reports of active exploitation, but the vulnerability's nature suggests a potential for rapid exploitation if a proof-of-concept is developed.
Refer to the SiYuan project's official website and GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.