CVE-2026-32110HIGH 8.3EPSS p19.3%

CVE-2026-32110CVE-2026-32110

Description

SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services. This vulnerability is fixed in 3.6.0.

Scoring

CVSS 3.18.3 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS0.28% probability of exploitation · percentile 19.3% · 2026-06-19T12:03:05Z
Published2026-03-11
Last modified2026-03-13

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/siyuan-note/siyuan/security/advisories/GHSA-56cv-c5p2-j2wg

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-29073
CVE
CVE-2026-32767
CVE
CVE-2026-30869
CVE
CVE-2026-40318
CVE
CVE-2026-33067
CVE
CVE-2026-33066
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.