CNNVD-202601-2995 Information
CNNVD ID
CNNVD-202601-2995
Related CVE
- CNNVD Published: 2026-01-19
Description (Chinese)
SiYuan是SiYuan开源的一个隐私至上的个人知识管理系统。 SiYuan 3.5.4之前版本存在路径遍历漏洞,该漏洞源于markdown功能允许不受限制的服务器端HTML渲染,可能导致任意文件读取。
Description (English)
SiYuan is an open-source, private, personal knowledge management system. The previous version of SiYuan 3.5.4 had a loophole in the path, which stemmed from the fact that the markdown function allowed an unrestricted server-end HTML rendering, which could lead to any file reading.
Hazard Level
Medium
Vulnerability Type
路径遍历
Affected Vendor
SiYuan
Published
2026-01-19
Last Modified
2026-02-24
References
https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035 https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad https://github.com/siyuan-note/siyuan/issues/16860 https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd https://access.redhat.com/security/cve/cve-2026-23850
Patch
https://github.com/siyuan-note/siyuan/releases
Share on: