CVE-2026-32704

SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. Thi...

SiYuan 安全漏洞

SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan itself. Versions of SiYuan prior to 3.6.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of model checking in the POST /api/template/renderSprig endpoint, which could allow any...

GHSA-4J3X-HHG2-FM2X SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB

Summary POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. Details File: kernel/api/router.go Every sensitive endpoint i...

Incorrect Permission Assignment for Critical Resource

Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource in the renderSprig endpoint. An attacker can gain unauthorized access to sensitive workspace database content by sending crafted requests to the affected API endpoint as an...

PT-2026-25387

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.1 Description SiYuan is a personal knowledge management system. The POST /api/template/renderSprig endpoint lacks a proper authorization check model.CheckAdminRole, allowing any authenticated user to execute...