CVE-2026-32747

MEDIUM EPSS 32.9%
Published Mar 19, 20263mo ago · Modified Jun 17, 20262w ago
4.9 CVSS 3.1
Medium
Find Similar
Published Mar 19, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles API eads source files using filepath.Abs() with no workspace boundary check, relying solely on util.IsSensitivePath() whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin can copy /proc/1/environ or Docker secrets into the workspace and read them via the standard file API. An admin can exfiltrate any file readable by the SiYuan process that falls outside the incomplete blocklist. In containerized deployments this includes all injected secrets and environment variables - a common pattern for passing credentials to containers. The exfiltrated files are then accessible via the standard workspace file API and persist until manually deleted. This issue has been fixed in version 3.6.1.

CVSS Details

Base Score
4.9
Exploitability
1.2
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
32.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-184
CWE-22 Path Traversal Resource Mgmt

Affected Products 1

VendorProductVersionRange
b3logsiyuan* <3.6.1

References 3

  • github.com https://github.com/siyuan-note/siyuan/commit/9914fd1d39e5f0a8dcc9fb587e1c0b46f31490a1
    Patch
  • github.com https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1
    Release Notes
  • github.com https://github.com/siyuan-note/siyuan/security/advisories/GHSA-h5vh-m7fg-w5h6
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/siyuan-note/siyuan/commit/9914fd1d39e5f0a8dcc9fb587e1c0b46f31490a1
    Patch