SUSE CVE-2026-32747

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles API eads source files using filepath.Abs with no workspace boundary check, relying solely on util.IsSensitivePath whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin c...

GO-2026-4705 SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets in github.com/siyuan-note/siyuan/kernel

SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets in github.com/siyuan-note/siyuan/kernel...

CVE-2026-32747

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles API eads source files using filepath.Abs with no workspace boundary check, relying solely on util.IsSensitivePath whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin c...

SiYuan 路径遍历漏洞

SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan OpenSource. Versions of SiYuan prior to 3.6.2 contained a path traversal vulnerability. This vulnerability stemmed from the IsSensitivePath function using an incomplete denial list method, which could allow the...

CVE-2026-32747 SiYuan: Incomplete sensitive path blocklist in globalCopyFiles allows reading /proc and Docker secrets

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles API eads source files using filepath.Abs with no workspace boundary check, relying solely on util.IsSensitivePath whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin c...

CVE-2026-32747

SiYuan CVE-2026-32747 affects versions 3.6.0 and below, where the globalCopyFiles API exposes files outside the workspace due to a flawed blocklist in filepath.Abs()-based path resolution. The util.IsSensitivePath() blocklist omits /proc/, /run/secrets/, and home directory dotfiles, enabling an a...

CVE-2026-32747 SiYuan: Incomplete sensitive path blocklist in globalCopyFiles allows reading /proc and Docker secrets

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles API eads source files using filepath.Abs with no workspace boundary check, relying solely on util.IsSensitivePath whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin c...

SiYuan 安全漏洞

SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan. Versions of SiYuan 3.6.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the lack of workspace boundary checks in the globalCopyFiles API, which could allow administrators to...

PT-2026-26210

Summary The IsSensitivePath function in kernel/util/path.go uses a denylist approach that was recently expanded GHSA-h5vh-m7fg-w5h6, commit 9914fd1 but remains incomplete. Multiple security-relevant Linux directories are not blocked, including /opt application data, /usr local configs/binaries,...

PT-2026-25852

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and below Description SiYuan, a personal knowledge management system, has an issue in the globalCopyFiles API. This API reads source files using filepath.Abs without proper workspace boundary checks. It relies on the...

SUSE CVE-2026-23851

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper pat...

SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality

Summary The SiYuan Note application v3.5.3 contains a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation Details The...

EUVD-2026-3291

SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the globalCopyFiles function. An attacker can access sensitive files outside the intended directory by supplying arbitrary file paths to the API endpoint. Remediation Upgrade...

CVE-2026-23851

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper pat...

CVE-2026-23851

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper pat...

CVE-2026-23851 SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper pat...

SiYuan path traversal vulnerability

SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan. Versions of SiYuan prior to 3.5.4 contained a path traversal vulnerability. This vulnerability stemmed from a logical flaw in the/api/file/globalCopyFiles endpoint, which lacked proper path validation. As a...