Home > Vulnerability Database > CVE-2026-23850

Mend.io Vulnerability Database

CVE-2026-23850

Good to know:

Date: January 19, 2026

SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue.

Severity Score

8.2

Related Resources (9)

Url: https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad

Url: https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd

Url: https://github.com/siyuan-note/siyuan/issues/16860

Url: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw

Url: https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035

Url: https://github.com/siyuan-note/siyuan

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23850

Url: https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886

Url: https://www.mend.io/vulnerability-database/CVE-2026-23850

Severity Score

8.2

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version github.com/siyuan-note/siyuan - v3.5.4;github.com/siyuan-note/siyuan/kernel - v0.0.0-20260118092326-b2274baba2e1

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23850

Good to know:

Date: January 19, 2026

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?