CVE-2026-32110

CVSS Score & Metrics

Base Score

8.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L                                    

Vulnerability Description

SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services. This vulnerability is fixed in 3.6.0.

Vulnerability Details

Published Date

March 11, 2026

Last Modified

March 13, 2026

CWE ID

CWE-918

Source

NVD

Vendor

siyuan-note

Product

siyuan

External References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-56cv-c5p2-j2wg

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment