CVE-2026-32704

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. This vulnerability is fixed in 3.6.1.

Vulnerability Details

Published Date

March 13, 2026

Last Modified

March 17, 2026

CWE ID

CWE-285

Source

GitHub

Vendor

Product

github.com/siyuan-note/siyuan/kernel

External References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4j3x-hhg2-fm2x
https://github.com/siyuan-note/siyuan/issues/17209
https://github.com/advisories/GHSA-4j3x-hhg2-fm2x

CVE-2026-32704

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment