CVE-2026-32938

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET...

CVE-2026-32938 SiYuan has an Arbitrary File Read in its Desktop Publish Service

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET...

SiYuan 访问控制错误漏洞

SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan. Versions of SiYuan 3.6.0 and earlier contained an access control vulnerability. This vulnerability stemmed from the lack of validation of file paths at the/api/lute/html2BlockDOM endpoint, which could lead to t...

GHSA-FQ2J-J8HC-8VW8 SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service

Summary In SiYuan, /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/path, which only requires authentication, a publish-service...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through the html2BlockDOM handler in kernel/api/lute.go and the asset-copying process in the desktop publish service. An attacker can exfiltrate sensitive local files readable by the desktop process by submitting HTM...

PT-2026-26177

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and below Description SiYuan, a personal knowledge management system, has an issue where the /api/lute/html2BlockDOM endpoint on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace...