CVE-2026-32749

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and below

Description SiYuan, a personal knowledge management system, contains a flaw in the handling of file uploads through the '/api/import/importSY' and '/api/import/importZipMd' API endpoints. These endpoints write uploaded archives to a path derived from the filename without proper sanitization. This allows an administrator to write files to arbitrary locations, potentially including system paths, leading to Remote Code Execution (RCE). The issue stems from insufficient cleaning of file paths, allowing crafted filenames with '..' sequences to escape the intended temporary directory. Exploitation requires sending raw HTTP requests, bypassing sanitization performed by tools like curl. The vulnerable code resides in the kernel/api/import.go file, specifically within the importSY and importZipMd functions. A proof-of-concept demonstrates the ability to overwrite files like /etc/cron.d/ (in root containers) or user configuration files to achieve RCE. The flaw can also lead to data destruction by overwriting workspace or application files.

Recommendations Update to version 3.6.1 or later to resolve this vulnerability.