CVE-2026-59834
Severity CVSS v4.0:
Pending analysis
Type:
CWE-89
SQL Injection
Publication date:
09/07/2026
Last modified:
10/07/2026
Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the block search endpoint POST /api/search/fullTextSearchBlock concatenates attacker-controlled paths values into SQL predicates used by non-SQL search modes, allowing an unauthenticated publish visitor to inject a UNION SELECT and return rows from hidden documents by projecting an allowed visible box and path. This issue is fixed in versions 3.7.1.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://github.com/siyuan-note/siyuan/commit/57bcad4b331836880bfe6be25d4180bdcf10db0d
- https://github.com/siyuan-note/siyuan/commit/d0f0fe146fb07d594fcadc4f48d4f7c30ac01d1e
- https://github.com/siyuan-note/siyuan/releases/tag/v3.7.1
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-h89q-4j2h-7h88
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-h89q-4j2h-7h88



