CVE-2026-59853

medium

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the /api/storage/getCriteria endpoint returns saved search criteria from data/storage/criteria.json without the publish-access filtering used by sibling storage endpoints, allowing a publish-mode Reader to read private document paths, notebook, document, and block IDs, and search and replace keywords for unpublished documents. This issue is fixed in versions 3.7.1.

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-px3c-cf92-9g83

https://github.com/siyuan-note/siyuan/releases/tag/v3.7.1

https://github.com/siyuan-note/siyuan/commit/0049d0f04ffe9837760d29248b9ef31605077d36

Details

Source: Mitre, NVD

Published: 2026-07-09

Updated: 2026-07-09

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium