CVE-2026-54068
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
SiYuan is a knowledge management system that prior to version 3.7.0 had the /api/icon/getDynamicIcon endpoint which did not require authentication. Attackers can exploit this endpoint to execute arbitrary SELECT queries against the SiYuan SQLite database, leading to data leakage.
Risk Assessment
Organizations using SiYuan prior to version 3.7.0 are at risk of leaking sensitive information such as user notes, tags, and block attributes, which can lead to serious privacy breaches.
Recommendation
It is recommended to upgrade SiYuan to version 3.7.0 or later to mitigate this vulnerability. Additionally, conducting a security audit of the database is advisable to detect potential breaches.
Original NVD description (English source)
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router (router.go, "不需要鉴权" -- no auth needed). When called with type=8 and a valid block id parameter, this endpoint invokes RenderDynamicIconContentTemplate, which executes a Go template that includes the querySQL and queryBlocks functions. These functions run arbitrary SELECT statements against the SiYuan SQLite database. An unauthenticated network-adjacent attacker who knows a valid block ID can exfiltrate all user note content, tags, asset references, and block attributes from the database. This vulnerability is fixed in 3.7.0.

