Home / Vulnerability Intelligence / CVE-2026-32938

CVE-2026-32938 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: March 20, 2026

SiYuan - Information Disclosure

Published: March 20, 2026Updated: March 20, 2026Remote Exploitable

Overview

SiYuan <= 3.6.0 contains an information disclosure caused by improper validation of file:// links in /api/lute/html2BlockDOM, letting authenticated publish-service visitors exfiltrate sensitive files via GET /assets/*path.

Severity & Score

Severity: Critical

CVSS Score: 9.9

EPSS Score: 8.9%(Probability of exploitation in next 30 days)

Impact

Authenticated visitors can exfiltrate sensitive files from the system, leading to data leakage.

Mitigation

Update to version 3.6.1 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 20, 2026

🔴 CVE-2026-32938 - Critical (9.9) SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths ag... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32938/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-32938
Severity: Critical
CVSS Score: 9.9
Type: path_traversal
Status: unconfirmed
EPSS: 8.9%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H

EPSS Score

8.9%Probability of exploitation in the next 30 days