CVE-2026-29073 - SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access
CVE ID : CVE-2026-29073
Published : March 6, 2026, 8:16 a.m. | 1 hour, 40 minutes ago
Description : SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.
Severity: 5.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : March 6, 2026, 8:16 a.m. | 1 hour, 40 minutes ago
Description : SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.
Severity: 5.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...