CVE-2026-59834

Severity CVSS v4.0:
Pending analysis
Type:
CWE-89 SQL Injection
Publication date:
09/07/2026
Last modified:
10/07/2026

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the block search endpoint POST /api/search/fullTextSearchBlock concatenates attacker-controlled paths values into SQL predicates used by non-SQL search modes, allowing an unauthenticated publish visitor to inject a UNION SELECT and return rows from hidden documents by projecting an allowed visible box and path. This issue is fixed in versions 3.7.1.