CVE-2026-23850

Published: Jan 19, 2026

Modified: Jan 20, 2026

PUBLISHED

Description

SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue.

Vendor	Product	Versions
siyuan-note	siyuan	affected `< 3.5.4`

Weaknesses (CWE)

CWE-22

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw

x_refsource_CONFIRM

https://github.com/siyuan-note/siyuan/issues/16860

x_refsource_MISC

https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd

x_refsource_MISC

https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad

x_refsource_MISC

https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035

x_refsource_MISC

https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-23850

Description

Affected Products

Weaknesses (CWE)

References