DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-54068: CVE-2026-54068: Unauthenticated Server-Side Template Injection and SQLite Exfiltration in SiYuan PKM

CVE-2026-54068: Unauthenticated Server-Side Template Injection and SQLite Exfiltration in SiYuan PKM

Vulnerability ID: CVE-2026-54068
CVSS Score: 5.9
Published: 2026-07-10

An authentication bypass in the SiYuan personal knowledge management system before version 3.7.0 exposes a dynamic icon rendering endpoint. This endpoint processes client-supplied Go template directives. By submitting a crafted request, an unauthenticated remote attacker can leverage registered database template functions to execute arbitrary read-only SQL queries and exfiltrate workspace contents.

TL;DR

An unauthenticated API endpoint in SiYuan PKM before 3.7.0 evaluates user-controlled input using the Go template engine. Remote attackers can leverage registered SQL helper functions to query the underlying SQLite database and exfiltrate notes, credentials, and system metadata.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-306
  • Attack Vector: Network (AV:N)
  • CVSS Score: 5.9 (Medium)
  • EPSS Score: 0.00239 (Percentile Rank: 14.92%)
  • Impact: High Confidentiality Leakage
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed

Affected Systems

  • SiYuan Open-Source Personal Knowledge Management System
  • siyuan: < 3.7.0 (Fixed in: 3.7.0)

Code Analysis

Commit: 27e0051

Move /api/icon/getDynamicIcon to authenticated group

Mitigation Strategies

  • Upgrade SiYuan to version 3.7.0 or newer.
  • Restrict network access to the SiYuan API and web UI using reverse proxies or firewall ACLs.
  • Monitor HTTP access logs for requests containing the .action parameter targeting /api/icon/getDynamicIcon.

Remediation Steps:

  1. Verify the running version of SiYuan using the version endpoint or the application UI.
  2. Update the Docker image or localized installation to version 3.7.0.
  3. Restart the service and confirm that accessing /api/icon/getDynamicIcon without an authorization header yields an HTTP 401 Unauthorized response.

References


Read the full report for CVE-2026-54068 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)