CVE Catalog

CVE-2026-54068

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

SiYuan is a knowledge management system that prior to version 3.7.0 had the /api/icon/getDynamicIcon endpoint which did not require authentication. Attackers can exploit this endpoint to execute arbitrary SELECT queries against the SiYuan SQLite database, leading to data leakage.

Risk Assessment

Organizations using SiYuan prior to version 3.7.0 are at risk of leaking sensitive information such as user notes, tags, and block attributes, which can lead to serious privacy breaches.

Recommendation

It is recommended to upgrade SiYuan to version 3.7.0 or later to mitigate this vulnerability. Additionally, conducting a security audit of the database is advisable to detect potential breaches.

Original NVD description (English source)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router (router.go, "不需要鉴权" -- no auth needed). When called with type=8 and a valid block id parameter, this endpoint invokes RenderDynamicIconContentTemplate, which executes a Go template that includes the querySQL and queryBlocks functions. These functions run arbitrary SELECT statements against the SiYuan SQLite database. An unauthenticated network-adjacent attacker who knows a valid block ID can exfiltrate all user note content, tags, asset references, and block attributes from the database. This vulnerability is fixed in 3.7.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS