Home / Vulnerability Intelligence / CVE-2026-32938

CVE-2026-32938 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: March 20, 2026

SiYuan - Information Disclosure

Published: March 20, 2026Updated: March 20, 2026Remote Exploitable

Overview

SiYuan <= 3.6.0 contains an information disclosure caused by improper validation of file:// links in /api/lute/html2BlockDOM, letting authenticated publish-service visitors exfiltrate sensitive files via GET /assets/*path.

Severity & Score

Severity: Critical

CVSS Score: 9.9

Impact

Authenticated visitors can exfiltrate sensitive files from the system, leading to data leakage.

Mitigation

Update to version 3.6.1 or later.

References

https://github.com/siyuan-note/siyuan/commit/294b8b429dea152cd1df522cddf406054c1619ad
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fq2j-j8hc-8vw8

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-32938
Severity: Critical
CVSS Score: 9.9
Type: path_traversal
Status: new

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H