QwikSec

Security Database

CVE

CWE

Training

CVE-2026-32749

Published: Mar 19, 2026

Modified: Mar 20, 2026

PUBLISHED

CVSS v3.1

7.6

HIGH

Description

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations outside the temp directory - including system paths that enable RCE. This can lead to aata destruction by overwriting workspace or application files, and for Docker containers running as root (common default), this grants full container compromise. This issue has been fixed in version 3.6.1.

Vendor	Product	Versions
siyuan-note	siyuan	affected `< 3.6.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qvvf-q994-x79v

x_refsource_CONFIRM

https://github.com/siyuan-note/siyuan/commit/5ee00907f0b0c4aca748ce21ef1977bb98178e14

x_refsource_MISC

https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.