PatchSiren cyber security CVE debrief
CVE-2026-59853 siyuan-note CVE debrief
The CVE-2026-59853 issue was reported in the SiYuan personal knowledge management system. An endpoint vulnerability allowed unauthorized access to private document information for users with publish-mode Reader access. The issue was addressed in version 3.7.1. This vulnerability has a CVSS score of 6.5 and is considered medium severity. Users with publish-mode Reader access may have been exposed to private document paths, IDs, and keywords.
- Vendor
- siyuan-note
- Product
- siyuan
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Users of SiYuan personal knowledge management system versions prior to 3.7.1 who have publish-mode Reader access should be aware of this vulnerability and take necessary defensive actions. Operators, platform administrators, vulnerability management teams, and security teams may need to review and remediate exposed systems.
Technical summary
CVE-2026-59853 is a vulnerability in the SiYuan personal knowledge management system. The /api/storage/getCriteria endpoint returned saved search criteria without proper access filtering, allowing publish-mode Readers to access private document paths, IDs, and keywords. This issue was fixed in version 3.7.1. The vulnerability has a CVSS score of 6.5 and is considered medium severity. Affected users with publish-mode Reader access may have been exposed to private document information. Operators, platform administrators, and security teams should review and remediate exposed systems, and consider compensating controls while remediation is scheduled and verified. Evidence is limited to public sources, including the CVE record, NVD detail, and GitHub release notes for version 3.7.1.
Defensive priority
Medium priority due to the CVSS score of 6.5 and the potential for unauthorized access to sensitive information.
Recommended defensive actions
- Upgrade to SiYuan version 3.7.1 or later
- Review and restrict access to the /api/storage/getCriteria endpoint
- Monitor for suspicious activity related to the affected endpoint
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record and NVD detail provide information on the vulnerability and its fix. Additional references include GitHub commits and release notes. To verify, defenders should review the official advisory and GitHub release notes for version 3.7.1. The evidence is limited to public sources and may not reflect the full scope of affected systems or potential impacts.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T23:17:06.030Z and has not been modified since then.