cvedb.io
CVE-2026-32704
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2026-03-16T14:19:41.233 · Last modified 2026-06-17T10:36:14.357

Summary

SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. This vulnerability is fixed in 3.6.1.

Affected products

b3log — siyuan

Does this affect you?

Add your gear to cvedb and we'll alert you only when b3log ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.