Back to overview

CVE-2026-59853

MEDIUM
6.5
CVSS 3.1
Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the /api/storage/getCriteria endpoint returns saved search criteria from data/storage/criteria.json without the publish-access filtering used by sibling storage endpoints, allowing a publish-mode Reader to read private document paths, notebook, document, and block IDs, and search and replace keywords for unpublished documents. This issue is fixed in versions 3.7.1.

Metadata

CVE ID
CVE-2026-59853
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-07 15:41 UTC
Published
2026-07-09 22:20 UTC
Last updated
2026-07-09 22:20 UTC
Primary CWE
CWE-862
CWE-862: Missing Authorization
Vendor / Product
siyuan-note / siyuan
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
siyuan-note siyuan < 3.7.1
Weakness (CWE)
CWESourceDescription
CWE-862 cna CWE-862: Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References (3)
Back to overview