GHSA-fq2j-j8hc-8vw8: SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service

March 17, 2026

In SiYuan, /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files.

References

github.com/advisories/GHSA-fq2j-j8hc-8vw8
github.com/siyuan-note/siyuan
github.com/siyuan-note/siyuan/security/advisories/GHSA-fq2j-j8hc-8vw8

Code Behaviors & Features

Detect and mitigate GHSA-fq2j-j8hc-8vw8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →