プラットフォーム
go
コンポーネント
github.com/siyuan-note/siyuan/kernel
修正版
3.6.2
0.0.1
CVE-2026-32938 describes an Arbitrary File Access vulnerability discovered in the SiYuan kernel. This flaw allows attackers to copy sensitive local files into the workspace and subsequently exfiltrate them. The vulnerability affects SiYuan versions up to and including 0.0.0-20260313024916-fd6526133bb3. A fix is available in version 3.6.1.
The vulnerability lies within the /api/lute/html2BlockDOM endpoint, which handles HTML pasting. An attacker can leverage this by crafting malicious HTML containing file:// links pointing to sensitive local files. The SiYuan kernel then copies these files into the workspace assets directory without proper path validation. Crucially, the /assets/*path endpoint, accessible with authentication, allows the attacker to retrieve these copied files via a simple GET request. This enables the exfiltration of sensitive data, including configuration files, credentials, or other confidential information stored on the system. The blast radius extends to any data accessible by the user running the SiYuan desktop application.
This vulnerability was publicly disclosed on 2026-03-17. The severity is rated as CRITICAL (CVSS 9.9). No public proof-of-concept exploits have been released as of this writing, but the vulnerability's ease of exploitation makes it a likely target. It is not currently listed on CISA KEV. The vulnerability's reliance on HTML pasting and file access patterns suggests a potential for exploitation through phishing campaigns or malicious document sharing.
Users of SiYuan who handle sensitive data, particularly those who frequently paste content from external sources, are at significant risk. Organizations using SiYuan in shared hosting environments or with legacy configurations lacking robust access controls are especially vulnerable.
• linux / server:
journalctl -u siyuan -g "html2BlockDOM"• generic web:
curl -I 'http://<siyuan_server>/api/lute/html2BlockDOM?file:///etc/passwd' # Check for file access• generic web:
grep -r 'file://' /var/log/nginx/access.log # Look for file:// URLs in access logsdisclosure
エクスプロイト状況
EPSS
0.22% (45% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade to SiYuan version 3.6.1 or later, which includes the necessary path validation fixes. If upgrading immediately is not feasible, consider restricting access to the /assets/*path endpoint to authenticated users only, although this does not fully address the underlying vulnerability. Implement a Web Application Firewall (WAF) rule to block requests containing file:// URLs in the /api/lute/html2BlockDOM endpoint. Monitor SiYuan logs for unusual file access patterns or attempts to access files in the workspace assets directory. There are no specific Sigma or YARA rules available at this time, but monitoring file creation events in the workspace directory is recommended.
Actualice SiYuan a la versión 3.6.1 o superior. Esta versión corrige la vulnerabilidad que permite la lectura arbitraria de archivos. La actualización se puede realizar descargando la última versión desde el sitio web oficial o utilizando el mecanismo de actualización integrado en la aplicación.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-32938 is a CRITICAL vulnerability in SiYuan's kernel allowing attackers to copy and exfiltrate sensitive files through HTML pasting, affecting versions up to 0.0.0-20260313024916-fd6526133bb3.
You are affected if you are using SiYuan kernel versions prior to 3.6.1. Check your version and upgrade immediately to mitigate the risk.
Upgrade to SiYuan version 3.6.1 or later. As a temporary workaround, restrict access to the /assets/*path endpoint.
While no public exploits are currently available, the vulnerability's ease of exploitation suggests it may become a target for attackers.
Refer to the official SiYuan security advisory for detailed information and updates: [https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。