VDB

CVE-2026-32704

CVE-2026-32704 PUBLISHED CVSS 6.5 MEDIUM

SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. This vulnerability is fixed in 3.6.1.

EPSS 0.04% · 14.1th percentile

Risk Scores

CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
0.04%
14.1th percentile

Affected Products

VendorProductVersions
b3logsiyuan0, 0, 0
github.comsiyuan-note/siyuan/kernel0, 0, 0
siyuan-notesiyuan< 3.6.1, < 3.6.1, < 3.6.1

Timeline

  • Mar 13, 2026 CVE Published
  • Mar 13, 2026 PoC Published
  • Mar 14, 2026 EPSS Score
  • Mar 14, 2026 PoC Published
  • Mar 15, 2026 EPSS Score
  • Mar 16, 2026 EPSS Score
  • Mar 17, 2026 EPSS Score
  • Mar 17, 2026 Coalition ESS Score
  • Mar 17, 2026 Security Advisory
  • Mar 18, 2026 EPSS Score
  • Mar 19, 2026 EPSS Score
  • Mar 20, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›