CVE-2026-34453 in SiYuan
要約 (英語)
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
責任者
GitHub_M
予約する
2026年03月27日
公開
2026年04月01日
ステータス
確認済み
エントリ
VulDB provides additional information and datapoints for this CVE:
| 識別子 | 脆弱性 | CWE | 悪用可 | 対策 | CVE |
|---|---|---|---|---|---|
| 354572 | SiYuan Publish Service 特権昇格 | 863 | 未定義 | 公式な修正 | CVE-2026-34453 |