CVE-2026-29073 — Vulnetix

CVE-2026-29073 PUBLISHED CVSS 5.699999809265137 MEDIUM

SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.

EPSS 0.07% · 21.0th percentile

Risk Scores

CVSS v4.0

5.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

EPSS Score

0.07%

21.0th percentile

Affected Products

Vendor	Product	Versions
b3log	siyuan	0, 0
github.com	siyuan-note/siyuan/kernel	0, 0
siyuan-note	siyuan	< 3.6.0, < 3.6.0

Timeline

Mar 3, 2026 CVE Published
Mar 6, 2026 CVE Updated
Mar 6, 2026 EPSS Score
Mar 6, 2026 PoC Published
Mar 7, 2026 EPSS Score
Mar 8, 2026 EPSS Score
Mar 10, 2026 EPSS Score
Mar 11, 2026 EPSS Score
Mar 12, 2026 EPSS Score
Mar 13, 2026 EPSS Score
Mar 14, 2026 EPSS Score
Mar 15, 2026 EPSS Score

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-jqwg-75qf-vmf9 url
https://nvd.nist.gov/vuln/detail/CVE-2026-29073 advisory
https://github.com/siyuan-note/siyuan package

Open in Interactive Console →