{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23850", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T15:46:40.843Z", "datePublished": "2026-01-19T19:52:58.615Z", "dateUpdated": "2026-01-20T20:05:16.346Z"}, "containers": {"cna": {"title": "SiYuan vulnerable to arbitrary file read", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw"}, {"name": "https://github.com/siyuan-note/siyuan/issues/16860", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/issues/16860"}, {"name": "https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd"}, {"name": "https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad"}, {"name": "https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035"}, {"name": "https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886"}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"version": "< 3.5.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T19:56:47.029Z"}, "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue."}], "source": {"advisory": "GHSA-cv54-7wv7-qxcw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T20:04:00.809446Z", "id": "CVE-2026-23850", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T20:05:16.346Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23850", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T20:04:00.809446Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T20:04:02.837Z"}}], "cna": {"title": "SiYuan vulnerable to arbitrary file read", "source": {"advisory": "GHSA-cv54-7wv7-qxcw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"status": "affected", "version": "< 3.5.4"}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw", "name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/siyuan-note/siyuan/issues/16860", "name": "https://github.com/siyuan-note/siyuan/issues/16860", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd", "name": "https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad", "name": "https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035", "name": "https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886", "name": "https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T19:56:47.029Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23850", "state": "PUBLISHED", "dateUpdated": "2026-01-20T20:05:16.346Z", "dateReserved": "2026-01-16T15:46:40.843Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T19:52:58.615Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3F308D6-1396-4488-9382-0EE485C9289C", "versionEndExcluding": "3.5.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue."}, {"lang": "es", "value": "SiYuan es un sistema de gesti\u00f3n de conocimiento personal. En versiones anteriores a la 3.5.4, la caracter\u00edstica de markdown permite la renderizaci\u00f3n HTML sin restricciones del lado del servidor, lo que permite la lectura arbitraria de archivos (LFD). La versi\u00f3n 3.5.4 corrige el problema."}], "id": "CVE-2026-23850", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-19T20:15:49.533", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/siyuan-note/siyuan/issues/16860"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:00:39.603961+00:00", "value": {"mitigation_remediation": ["Upgrade SiYuan to version\u202f3.5.4 or later to eliminate the insecure markdown rendering path.", "If upgrading is not immediately feasible, restrict or disable the server\u2011side HTML rendering feature for markdown to prevent arbitrary file access.", "Enforce strict input validation on markdown uploads, ensuring file paths are resolved relative to a safely defined directory and that no absolute or parent\u2011directory paths are accepted."], "summary": {"action": "Patch Immediately", "impact": "Confidentiality Breach via Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "Versions of SiYuan prior to 3.5.4 are affected. The product is the SiYuan personal knowledge management system distributed by Siyuan-Note. The issue was corrected in release 3.5.4, eliminating the insecure rendering path.", "description_and_impact": "The vulnerability resides in SiYuan\u2019s markdown processing, where unrestricted server\u2011side HTML rendering permits reading any file accessible to the application. An attacker who can supply malicious markdown can retrieve arbitrary server files, exposing sensitive data and potentially system configuration. This is classified as a file\u2011reading flaw (CWE\u201122).", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity. The EPSS score is below 1\u202f%, signalling a low current likelihood of exploitation, and the vulnerability is not yet listed in CISA\u2019s KEV catalog. Likely, an attacker would exploit the flaw remotely by sending crafted markdown content to the server\u2019s rendering endpoint, triggering the uncontrolled file read. The absence from KEV implies no widespread public exploitation has been reported at present."}}}}, "created": "2026-01-20T08:40:47.548885+00:00", "updated": "2026-04-18T05:15:15.968052+00:00", "vendors": ["siyuan", "siyuan$PRODUCT$siyuan"]}