11 matches found
CVE-2026-54068 SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router router.go, "不需要鉴权" -- no auth needed. When called with type=8 and a valid block id parameter, this endpoint...
PT-2026-51455
Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.6.0 Description Actual is a local-first personal finance tool that fails to neutralize formula-trigger characters when exporting data to CSV. The functions exportToCSV and exportQueryToCSV in...
CVE-2026-32704
SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. Thi...
EUVD-2025-25805
Malicious code in bioql PyPI...
CVE-2025-52035
A vulnerability in NotesCMS and specifically in the page /index.php?route=notes. The manipulation of the title of the service descriptions leads to a stored XSS vulnerability. The issue was confirmed to be present in the source code as of commit 7d821a0f028b0778b245b99ab3d3bff1ac10e2d3 dated...
CVE-2025-52037
A vulnerability has been found in NotesCMS and classified as medium. Affected by this vulnerability is the page /index.php?route=sites. The manipulation of the title of the service descriptions leads to a stored XSS vulnerability. The issue was confirmed to be present in the source code as of...
CVE-2025-52036
A vulnerability has been found in NotesCMS and classified as medium. Affected by this vulnerability is the page /index.php?route=categories. The manipulation of the title of the service descriptions leads to a stored XSS vulnerability. The issue was confirmed to be present in the source code as o...
CVE-2025-52036
NotesCMS contains a stored XSS vulnerability (CWE-79) on the /index.php?route=categories page. The issue arises from manipulation of the service descriptions title in the source code, present as of commit 7d821a0f028b0778b245b99ab3d3bff1ac10e2d3 (2024-05-08) and fixed in commit 95322c5121dbd7070f...
CVE-2025-52035
A vulnerability in NotesCMS and specifically in the page /index.php?route=notes. The manipulation of the title of the service descriptions leads to a stored XSS vulnerability. The issue was confirmed to be present in the source code as of commit 7d821a0f028b0778b245b99ab3d3bff1ac10e2d3 dated...
CVE-2021-1859
A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3. Locked Notes content may have been unexpectedly unlocked...
CVE-2024-23228
Apple iOS 17.3 and iPadOS 17.3 fix a vulnerability in the Notes component where Locked Notes content may have been unexpectedly unlocked due to state-management issues. Affected products are iPhone and iPad models supporting iOS/iPadOS 17.3. Root cause: improved state management within Notes. Imp...