Nixpkgs Security Tracker

Login with GitHub

Details of issue NIXPKGS-2026-0544

NIXPKGS-2026-0544
published on 7 Mar 2026
Permalink CVE-2026-29073
updated 1 week ago by @mweinelt Activity log
  • Created automatic suggestion 1 week, 1 day ago
  • @mweinelt accepted 1 week ago
  • @mweinelt published on GitHub 1 week ago
SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access

SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.

References

Affected products

siyuan
  • ==< 3.6.0

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

Package maintainers