Xtromera

**Name of the Vulnerable Software and Affected Versions** SiYuan versions prior to 3.5.4 **Description** The markdown feature in SiYuan allows unrestricted server-side HTML rendering, which can lead to arbitrary file read (LFD) and Server-Side Request Forgery (SSRF). This issue occurs because the `markdown` parameter is passed to the model.CreateWithMarkdown function without proper sanitization. The input is then passed to `luteEngine.Md2BlockDOM(md, false)` without sanitization as well. An attacker can exploit this to read sensitive files from the system and potentially access internal hosts via SSRF. A proof-of-concept (PoC) exploit is available. **Recommendations** Update SiYuan to version 3.5.4 or later.