CVE-2024-55660

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.1.16

Description SiYuan's /api/template/renderSprig endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables, potentially leading to information leakage.

Recommendations For versions prior to 3.1.16, update to version 3.1.16 to resolve the issue. As a temporary workaround, consider restricting access to the /api/template/renderSprig endpoint until the update is applied.