CVE-2026-45147 SiYuan: Broken access control in SiYuan `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, POST /api/tag/getTag is registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly, despite the handler performing a configuration write that is normally guarded by both. Any...

CVE-2026-40107

SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, tags with src attributes survive Mermaid's internal DOMPurify and land in SVG blocks. The SVG is injected via innerHTML with no secondary...

CVE-2026-31807

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG blocks dangerous elements...

CVE-2026-32940

SiYuan Note's CVE-2026-32940 affects versions 3.6.0 and below where SanitizeSVG's blocklist is incomplete, allowing a click-through XSS via the unauthenticated /api/icon/getDynamicIcon endpoint. The endpoint echoes user-controlled input (content) directly into SVG markup using fmt.Sprintf with no...

CVE-2026-25992 SiYuan has a File Read Interface Case Bypass Vulnerability

SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems such as Windows, attackers can bypass restrictions using mixed-case paths and read...

SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin

Summary Siyuan is vulnerable to RCE. The issue stems from a "Zip Slip" vulnerability during zip file extraction, combined with the ability to overwrite system executables and subsequently trigger their execution. Steps to reproduce 1. Authenticate 2. Create zip slip payload with path traversal...

CVE-2025-21609

SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the POST /api/history/getDocHistoryContent endpoint. An attacker can craft a payload to exploit this vulnerability,...

GO-2025-3362 SiYuan has an arbitrary file deletion vulnerability in github.com/siyuan-note/siyuan/kernel

SiYuan has an arbitrary file deletion vulnerability in github.com/siyuan-note/siyuan/kernel...

GO-2024-3327 SiYuan has an arbitrary file read via /api/template/render in github.com/siyuan-note/siyuan/kernel

SiYuan has an arbitrary file read via /api/template/render in github.com/siyuan-note/siyuan/kernel...

GO-2024-3324 SiYuan has an SSTI via /api/template/renderSprig in github.com/siyuan-note/siyuan/kernel

SiYuan has an SSTI via /api/template/renderSprig in github.com/siyuan-note/siyuan/kernel...

SiYuan has an arbitrary file read via /api/template/render

Summary An arbitrary file read vulnerability exists in Siyuan's /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Impact Arbitrary file read on the host...

SiYuan has an SSTI via /api/template/renderSprig

Summary Siyuan's /api/template/renderSprig endpoint is vulnerable to Server-Side Template Injection SSTI through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables Impact Information leakage...

CVE-2024-53506

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /batchGetBlockAttrs...

CVE-2024-53504

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /searchHistory...