CVE-2026-30926

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...

CVE-2026-30926 SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...

GHSA-F9CQ-V43P-V523 SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren

Summary A privilege escalation vulnerability exists in the publish service of SiYuan Note that allows a low-privilege publish account RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint only requires model.CheckAuth, which accepts RoleReader...

PT-2026-24116

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.10 Description A privilege escalation issue exists in the publish service of SiYuan Note. A low-privilege publish account RoleReader can modify notebook content through the /api/block/appendHeadingChildren API...