目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2026-34453— SiYuan 安全漏洞

CVSS 7.5 · High EPSS 3.65% · P88
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-34453 基础信息

漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
授权机制不正确
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
SiYuan 安全漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
SiYuan是SiYuan开源的一个隐私至上的个人知识管理系统。 SiYuan 3.6.2之前版本存在安全漏洞,该漏洞源于发布服务对书签块的访问控制不当,可能导致未经身份验证的访问者检索受保护文档内容。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商产品影响版本CPE订阅
siyuan-notesiyuan < 3.6.2 -

二、漏洞 CVE-2026-34453 的公开POC

#POC 描述源链接神龙链接
1SiYuan v3.6.2 contains an information disclosure vulnerability caused by improper authorization checks in the publish service's bookmark filtering, letting unauthenticated visitors access bookmarked blocks from password-protected documents, exploit requires access to the publish service. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-34453.yamlPOC详情
AI 生成 POC高级
Qwen3.6-35B-A3B · 6681 chars
付费版包含:
漏洞原理深度分析
触发条件与影响面
完整可执行 POC 代码
利用链与缓解建议
POC 打包下载
每月 100+ 条 AI 生成额度

三、漏洞 CVE-2026-34453 的情报信息

Please 登录 to view more intelligence information

同批安全公告 · siyuan-note · 2026-03-31 · 共 5 条

CVE-2026-344499.7 CRITICALSiYuan 安全漏洞
CVE-2026-344489.1 CRITICALSiYuan 代码注入漏洞
CVE-2026-345858.6 HIGHSiYuan 代码注入漏洞
CVE-2026-34605SiYuan 跨站脚本漏洞

IV. Related Vulnerabilities

Same product: siyuan
Same vendor: siyuan-note
Same weakness: CWE-863

V. Comments for CVE-2026-34453

暂无评论

发表评论