← volver
CVE-2026-32704

SiYuan renderSprig: missing admin check allows any user to read full workspace DB

CVSS 6.5 MEDIUMEPSS 0.2%CWE-285CWE-732
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.5EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
13 mar 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. This vulnerability is fixed in 3.6.1.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Productos afectados
siyuan-note · siyuan

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4j3x-hhg2-fm2x