Nixpkgs Security Tracker

Untriaged

Permalink CVE-2026-32938

9.9 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): LOW
Availability impact (A): HIGH

created 2 days, 2 hours ago

SiYuan has an Arbitrary File Read in its Desktop Publish Service

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files. This issue has been fixed in version 3.6.1.

References

https://github.com/siyuan-note/siyuan/commit/294b8b429dea152cd1df522cddf406054c1619ad x_refsource_MISC
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1 x_refsource_MISC
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fq2j-j8hc-8vw8 x_refsource_CONFIRM

Affected products

siyuan

==< 3.6.1

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

nixos-unstable 3.5.10
- nixpkgs-unstable 3.5.10
- nixos-unstable-small 3.5.10
nixos-25.11 3.5.4
- nixos-25.11-small 3.5.4
- nixpkgs-25.11-darwin 3.5.4

Package maintainers

@TomaSajt TomaSajt
@L-Trump Luo Chen <ltrump@163.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.siyuan

Package maintainers