VDB
CVE-2026-32704
CVE-2026-32704
PUBLISHED
CVSS 6.5 MEDIUM
SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. This vulnerability is fixed in 3.6.1.
EPSS 0.04% · 14.1th percentile
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
0.04%
14.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| b3log | siyuan | 0, 0, 0 |
| github.com | siyuan-note/siyuan/kernel | 0, 0, 0 |
| siyuan-note | siyuan | < 3.6.1, < 3.6.1, < 3.6.1 |
Exploit Intelligence
- CIRCL published-proof-of-concept: CVE-2026-32704 (circl-sighting)
- CIRCL seen: CVE-2026-32704 (circl-sighting)
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4j3x-hhg2-fm2x (nist-nvd)
Timeline
- Mar 13, 2026 CVE Published
- Mar 13, 2026 PoC Published
- Mar 14, 2026 EPSS Score
- Mar 14, 2026 PoC Published
- Mar 15, 2026 EPSS Score
- Mar 16, 2026 EPSS Score
- Mar 17, 2026 EPSS Score
- Mar 17, 2026 Coalition ESS Score
- Mar 17, 2026 Security Advisory
- Mar 18, 2026 EPSS Score
- Mar 19, 2026 EPSS Score
- Mar 20, 2026 EPSS Score