Ghostwire

CVE-2026-59834: SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the block search endpoint POST...

HIGH CVSS 7.5 3 PoC

Published: July 9, 2026 | Last Modified: July 9, 2026

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the block search endpoint POST /api/search/fullTextSearchBlock concatenates attacker-controlled paths values into SQL predicates used by non-SQL search modes, allowing an unauthenticated publish visitor to inject a UNION SELECT and return rows from hidden documents by projecting an allowed visible box and path. This issue is fixed in versions 3.7.1.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Proof-of-Concept Exploits (3)

Security Coverage (1 articles)

References