CVE-2026-32938: SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service
(updated )
In SiYuan, /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files.
References
- github.com/advisories/GHSA-fq2j-j8hc-8vw8
- github.com/siyuan-note/siyuan
- github.com/siyuan-note/siyuan/commit/294b8b429dea152cd1df522cddf406054c1619ad
- github.com/siyuan-note/siyuan/releases/tag/v3.6.1
- github.com/siyuan-note/siyuan/security/advisories/GHSA-fq2j-j8hc-8vw8
- nvd.nist.gov/vuln/detail/CVE-2026-32938
Code Behaviors & Features
Detect and mitigate CVE-2026-32938 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →