CVE-2026-59834
Deferred Deferred - Pending Action

SiYuan Prior to 3.7.1 SQL Injection via Block Search

Vulnerability report for CVE-2026-59834, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the block search endpoint POST /api/search/fullTextSearchBlock concatenates attacker-controlled paths values into SQL predicates used by non-SQL search modes, allowing an unauthenticated publish visitor to inject a UNION SELECT and return rows from hidden documents by projecting an allowed visible box and path. This issue is fixed in versions 3.7.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
siyuan si_yuan 3.7.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade SiYuan to version 3.7.1 or later, where the issue has been fixed.

Since the vulnerability allows unauthenticated attackers to inject SQL via the block search endpoint, restricting access to this endpoint or disabling non-SQL search modes temporarily may reduce risk until the upgrade is applied.

Impact Analysis

The vulnerability can allow an unauthenticated attacker to access hidden documents that should not be visible. This means sensitive or confidential information stored within the SiYuan system could be exposed without proper authorization, leading to potential data breaches.

Compliance Impact

CVE-2026-59834 allows unauthenticated attackers to perform SQL injection attacks that can expose hidden documents and sensitive information within the SiYuan note-taking application. This unauthorized data access can lead to the exposure of personal or confidential data that may be protected under regulations such as GDPR or HIPAA.

Because the vulnerability enables attackers to bypass access controls and retrieve private content, it poses a risk to data confidentiality and privacy requirements mandated by these standards. Organizations using affected versions of SiYuan may face compliance violations if sensitive personal or health information is disclosed due to this flaw.

Remediation by applying the fix in version 3.7.1, which includes input validation and parameterized queries, is essential to maintain compliance and protect sensitive data from unauthorized disclosure.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing requests to the SiYuan application's block search endpoint, specifically POST requests to /api/search/fullTextSearchBlock.

Look for suspicious payloads in the paths[] parameter that include SQL keywords such as UNION SELECT or other SQL metacharacters that could indicate an injection attempt.

A practical approach is to capture and inspect HTTP traffic to this endpoint using tools like tcpdump or Wireshark, or by reviewing application logs for unusual query parameters.

Example commands to detect potential exploitation attempts include:

  • Using tcpdump to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/api/search/fullTextSearchBlock'
  • Using grep to search application logs for suspicious SQL injection patterns in the paths parameter: grep -iE 'paths.*union|select|--|;|\'' /path/to/siyuan/logs/*
  • Using curl or similar tools to test the endpoint with crafted payloads to verify if the system is vulnerable (only in a controlled environment): curl -X POST https://your-siyuan-instance/api/search/fullTextSearchBlock -d '{"paths":["1 UNION SELECT"]}' -H 'Content-Type: application/json'
Executive Summary

This vulnerability exists in SiYuan, an open-source personal knowledge management system, in versions prior to 3.7.1. The issue occurs in the block search endpoint POST /api/search/fullTextSearchBlock, where attacker-controlled path values are concatenated into SQL predicates used by non-SQL search modes. This allows an unauthenticated visitor to inject a UNION SELECT statement, enabling them to retrieve rows from hidden documents by projecting an allowed visible box and path.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59834. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart