Impact
SiYuan is an open‑source personal knowledge‑management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint intentionally disables authentication. When called with type=8 and a valid block ID, the endpoint renders a Go template that calls querySQL and queryBlocks, executing arbitrary SELECT statements against the SQLite database, allowing an unauthenticated network‑adjacent attacker who knows a valid block ID to read all note content, tags, asset references, and block attributes. The flaw is a missing authentication mechanism (CWE‑306) and does not provide arbitrary code execution.
Affected Systems
The vulnerability affects the open‑source personal knowledge management system SiYuan (vendor siyuan-note:siyuan). All releases prior to 3.7.0 contain the flaw; versions 3.7.0 and newer have the issue fixed.
Risk and Exploitability
The CVSS score is 5.9, indicating moderate severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. An unauthenticated, network‑adjacent attacker who knows a valid block ID can exploit the endpoint, leveraging the missing authentication to execute SELECT queries and pull sensitive database content. The attack requires only network access to the service and knowledge of a block ID, making it feasible in environments where block IDs are discoverable.
OpenCVE Enrichment
Github GHSA