{"id":"CVE-2024-55659","summary":"SiYuan has an arbitrary file write in the host via /api/asset/upload","details":"SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue.","aliases":["GHSA-fqj6-whhx-47p7","GO-2024-3326"],"modified":"2026-04-10T05:18:36.817770Z","published":"2024-12-11T22:53:45.983Z","related":["openSUSE-SU-2024:14599-1"],"database_specific":{"cwe_ids":["CWE-22","CWE-79"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55659.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55659.json"},{"type":"ADVISORY","url":"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fqj6-whhx-47p7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55659"},{"type":"FIX","url":"https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/siyuan-note/siyuan","events":[{"introduced":"0"},{"fixed":"7d34a87da4c2c5f2324a2dee9d8da1f576f415fe"}]}],"versions":["dev2.0.17-2","v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.1.8","v0.1.9","v0.2.0","v0.2.1","v0.2.2","v0.2.3","v0.2.4","v0.2.5","v0.2.6","v0.2.7","v0.2.8","v0.2.9","v0.3.0","v0.3.1","v0.3.2","v0.3.3","v0.3.4","v0.3.5","v0.3.6","v0.3.7","v0.3.8","v0.3.9","v0.4.0","v0.4.1","v0.4.1-x2","v0.4.2","v0.4.3","v0.4.3-x1","v0.4.32","v0.4.4","v0.4.5","v0.4.6","v0.4.7","v0.4.8","v0.4.9","v0.4.91","v0.4.92","v0.4.93","v0.4.94","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v0.5.4","v0.5.41","v0.5.42","v0.5.43","v0.5.44","v0.5.45","v0.5.46","v0.5.5","v0.5.6","v0.5.6-alpha1","v0.5.7","v0.5.8","v0.5.9","v0.6.0","v0.6.1","v0.6.2","v0.6.3","v0.6.4","v0.6.5","v0.6.6","v0.6.7","v0.6.8","v0.7.0","v0.7.1","v0.7.5","v0.7.8","v0.8.0","v0.8.5","v0.9.0","v0.9.2","v0.9.5","v0.9.6","v0.9.7","v0.9.8","v0.9.9","v1.0.0","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.0.5","v1.0.6","v1.0.7","v1.0.8","v1.0.9","v1.1.0","v1.1.1","v1.1.2","v1.1.3","v1.1.4","v1.1.5","v1.1.6","v1.1.7","v1.1.8","v1.1.81","v1.1.82","v1.1.83","v1.2.0","v1.2.0-beta1","v1.2.0-beta10","v1.2.0-beta11","v1.2.0-beta12","v1.2.0-beta13","v1.2.0-beta14","v1.2.0-beta15","v1.2.0-beta16","v1.2.0-beta2","v1.2.0-beta3","v1.2.0-beta4","v1.2.0-beta5","v1.2.0-beta6","v1.2.0-beta7","v1.2.0-beta8","v1.2.0-beta9","v1.2.0-rc1","v1.2.0-rc2","v1.2.0-rc3","v1.2.1","v1.2.2","v1.2.3","v1.2.31","v1.2.5","v1.2.6","v1.2.7","v1.2.8","v1.2.9","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.3.6","v1.3.7","v1.3.8","v1.3.9","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.4.7","v1.4.8","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.5.5","v1.5.5-beta1","v1.5.5-beta2","v1.5.5-beta3","v1.5.6","v1.6.0","v1.6.1","v1.6.2","v1.6.3","v1.7.0","v1.7.1","v1.7.10","v1.7.11","v1.7.2","v1.7.3","v1.7.4","v1.7.5","v1.7.6","v1.7.7","v1.7.8","v1.7.9","v1.8.0","v1.8.1","v1.8.2","v1.8.4","v1.8.5","v1.8.6","v1.8.7","v1.8.8","v1.8.9","v1.9.0","v1.9.1","v1.9.2","v1.9.3","v1.9.4","v1.9.5","v1.9.6","v1.9.7","v1.9.8","v1.9.9","v2.0.0","v2.0.0-beta1","v2.0.0-beta2","v2.0.1","v2.0.10","v2.0.11","v2.0.12","v2.0.13","v2.0.14","v2.0.15","v2.0.16","v2.0.17","v2.0.18","v2.0.19","v2.0.2","v2.0.20","v2.0.21","v2.0.21-dev1","v2.0.22","v2.0.23","v2.0.24","v2.0.25","v2.0.26","v2.0.26-dev1","v2.0.26-dev2","v2.0.27","v2.0.3","v2.0.4","v2.0.5","v2.0.6","v2.0.7","v2.0.8","v2.0.9","v2.1.0","v2.1.1","v2.1.10","v2.1.11","v2.1.12","v2.1.13","v2.1.14","v2.1.2","v2.1.3","v2.1.3-dev1","v2.1.4","v2.1.5","v2.1.6","v2.1.6-dev1","v2.1.7","v2.1.8","v2.1.8-dev1","v2.1.9","v2.10.0","v2.10.1","v2.10.1-dev1","v2.10.10","v2.10.11","v2.10.11-dev2","v2.10.12","v2.10.12-dev1","v2.10.13","v2.10.13-dev1","v2.10.13-dev5","v2.10.14","v2.10.14-dev1","v2.10.14-dev2","v2.10.15","v2.10.15-dev1","v2.10.16","v2.10.16-dev2","v2.10.2","v2.10.3","v2.10.3-dev1","v2.10.3-dev2","v2.10.3-dev3","v2.10.4","v2.10.4-dev1","v2.10.5","v2.10.5-dev1","v2.10.5-dev2","v2.10.6","v2.10.6-dev1","v2.10.6-dev2","v2.10.6-dev3","v2.10.6-dev4","v2.10.8","v2.10.8-dev1","v2.10.8-dev2","v2.10.8-dev3","v2.10.9","v2.10.9-dev3","v2.11.0","v2.11.0-dev2","v2.11.1","v2.11.1-dev1","v2.11.2","v2.11.2-dev1","v2.11.2-dev2","v2.11.2-dev3","v2.11.2-dev4","v2.11.2-dev5","v2.11.3","v2.11.3-dev1","v2.11.3-dev2","v2.11.4","v2.11.4-dev2","v2.11.4-dev4","v2.11.4-dev5","v2.11.4-dev6","v2.12.0","v2.12.0-dev1","v2.12.1","v2.12.1-dev3","v2.12.2","v2.12.3","v2.12.3-dev2","v2.12.4","v2.12.4-dev2","v2.12.5","v2.12.6","v2.12.7","v2.12.7-dev1","v2.12.7-dev2","v2.12.8","v2.12.8-dev2","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.4.0","v2.4.1","v2.4.10","v2.4.11","v2.4.12","v2.4.12-dev2","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.4.9","v2.5.0","v2.5.0-dev1","v2.5.0-dev2","v2.5.1","v2.5.1-dev1","v2.5.1-dev2","v2.5.2","v2.5.2-dev2","v2.5.3","v2.5.3-dev2","v2.5.4","v2.5.4-dev1","v2.5.5","v2.5.5-dev1","v2.6.0","v2.6.0-dev1","v2.6.0-dev2","v2.6.0-dev3","v2.6.1","v2.6.1-dev3","v2.6.1-dev4","v2.6.1-dev5","v2.6.1-dev6","v2.6.1-dev7","v2.6.2","v2.6.3","v2.6.3-dev1","v2.6.3-dev2","v2.6.3-dev3","v2.6.3-dev4","v2.6.3-dev6","v2.7.0","v2.7.1","v2.7.1-dev1","v2.7.1-dev5","v2.7.10","v2.7.2","v2.7.2-dev1","v2.7.2-dev2","v2.7.2-dev3","v2.7.3","v2.7.3-dev3","v2.7.3-dev4","v2.7.4","v2.7.4-dev1","v2.7.5","v2.7.5-dev2","v2.7.6","v2.7.6-dev3","v2.7.6-dev4","v2.7.7","v2.7.7-dev1","v2.7.7-dev2","v2.7.7-dev3","v2.7.7-dev4","v2.7.8","v2.7.8-dev1","v2.7.9","v2.7.9-dev1","v2.7.9-dev2","v2.8.0","v2.8.0-dev1","v2.8.1-dev1","v2.8.1-dev2","v2.8.1-dev3","v2.8.10","v2.8.3","v2.8.3-dev1","v2.8.4","v2.8.4-dev2","v2.8.5","v2.8.5-dev1","v2.8.5-dev2","v2.8.5-dev3","v2.8.6","v2.8.6-dev1","v2.8.6-dev2","v2.8.6-dev4","v2.8.7","v2.8.7-dev2","v2.8.7-dev3","v2.8.7-dev5","v2.8.8","v2.8.8-dev1","v2.8.8-dev3","v2.8.9","v2.8.9-dev2","v2.8.9-dev3","v2.9.0","v2.9.0-dev1","v2.9.1","v2.9.1-dev1","v2.9.1-dev2","v2.9.2","v2.9.2-dev2","v2.9.2-dev3","v2.9.3","v2.9.3-dev1","v2.9.3-dev3","v2.9.4","v2.9.4-dev2","v2.9.5","v2.9.5-dev2","v2.9.6","v2.9.6-dev1","v2.9.7","v2.9.7-dev2","v2.9.7-dev3","v2.9.8","v2.9.8-dev1","v2.9.8-dev2","v2.9.9","v2.9.9-dev1","v3.0.0","v3.0.0-dev1","v3.0.0-dev2","v3.0.1","v3.0.1-dev2","v3.0.10","v3.0.10-dev1","v3.0.10-dev3","v3.0.11","v3.0.12","v3.0.12-dev1","v3.0.12-dev4","v3.0.12-dev5","v3.0.13-dev3","v3.0.13-dev4","v3.0.14","v3.0.15","v3.0.15-dev1","v3.0.15-dev2","v3.0.16","v3.0.16-dev3","v3.0.17","v3.0.17-dev1","v3.0.17-dev2","v3.0.2","v3.0.2-dev2","v3.0.3","v3.0.3-dev4","v3.0.3-dev5","v3.0.4","v3.0.4-dev2","v3.0.5","v3.0.5-dev3","v3.0.5-dev4","v3.0.5-dev5","v3.0.6","v3.0.6-dev2","v3.0.6-dev3","v3.0.7","v3.0.7-dev1","v3.0.8","v3.0.8-dev1","v3.0.8-dev2","v3.0.9","v3.1.0","v3.1.0-dev10","v3.1.0-dev11","v3.1.0-dev12","v3.1.0-dev2","v3.1.0-dev3","v3.1.0-dev8","v3.1.0-dev9","v3.1.1-dev1","v3.1.1-dev2","v3.1.10","v3.1.10-dev1","v3.1.10-dev6","v3.1.11","v3.1.11-dev2","v3.1.11-dev5","v3.1.11-dev9","v3.1.12","v3.1.12-dev2","v3.1.12-dev3","v3.1.12-dev4","v3.1.13","v3.1.14","v3.1.14-dev2","v3.1.15","v3.1.15-dev1","v3.1.15-dev3","v3.1.2","v3.1.2-dev2","v3.1.2-dev3","v3.1.2-dev4","v3.1.3","v3.1.3-dev1","v3.1.3-dev2","v3.1.4","v3.1.4-dev2","v3.1.4-dev3","v3.1.4-dev5","v3.1.5","v3.1.6","v3.1.6-dev1","v3.1.6-dev2","v3.1.7","v3.1.7-dev3","v3.1.7-dev4","v3.1.7-dev5","v3.1.7-dev7","v3.1.7-dev8","v3.1.8","v3.1.8-dev2","v3.1.8-dev3","v3.1.9","v3.1.9-dev1","v3.1.9-dev10","v3.1.9-dev2","v3.1.9-dev3","v3.1.9-dev4","v3.1.9-dev6","v3.1.9-dev7","v3.1.9-dev9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55659.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}]}