CVE-2026-32750: SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes

March 16, 2026

POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users.

References

github.com/advisories/GHSA-rjhh-m223-9qqv
github.com/siyuan-note/siyuan
github.com/siyuan-note/siyuan/security/advisories/GHSA-rjhh-m223-9qqv
nvd.nist.gov/vuln/detail/CVE-2026-32750

Code Behaviors & Features

Detect and mitigate CVE-2026-32750 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →