CVE-2026-29073 Siyuan — Exploit & Vulnerability Details MEDIUM

Parameter	Value
CVSS	5.7 (MEDIUM)
Fixed In	3.6.0
Type	CWE-89 (SQL Injection (SQL-инъекция)), CWE-862 (Missing Authorization (Отсутствие авторизации))
Vendor	Siyuan
Public PoC	No

SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.

Attack Parameters

Attack Vector

Network

Атака возможна удалённо

Attack Complexity

Low

Легко эксплуатировать

Attack Requirements

None

Нет дополнительных условий

Privileges Required

Low

Нужны базовые права

User Interaction

None

Не нужно действие пользователя

Impact Assessment

Confidentiality

High

Полная утечка данных

Integrity

None

Нет модификации данных

Availability

None

Нет нарушения работы

CVSS Vector v4.0

Weakness Type (CWE)

CWE-89 SQL Injection (SQL-инъекция)

CWE-862 Missing Authorization (Отсутствие авторизации)

References 1

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-jqwg-75qf-vmf9

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-29183

Siyuan

9.3

Menu

CVE-2026-29073

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 1

Related Vulnerabilities

CVE-2026-29183

CVE Details

Editor's Choice