Lucene search
+L

8 matches found

nvd
nvd
added last week6 views

CVE-2026-59853

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the /api/storage/getCriteria endpoint returns saved search criteria from data/storage/criteria.json without the publish-access filtering used by sibling storage endpoints, allowing a publish-mode Reader to read private...

6.5CVSS0.00235EPSS
Exploits0References3
cve
cve
added last week10 views

CVE-2026-59853

SiYuan prior to 3.7.1 exposes saved search criteria via /api/storage/getCriteria without publish-access filtering, enabling a publish-mode Reader to read private document paths, notebooks, documents, and block IDs, and to search/replace keywords for unpublished documents. This reflects a data-exp...

6.5CVSS6AI score0.00235EPSS
Exploits0References3
osv
osv
added 2026/05/13 3:33 p.m.6 views

GHSA-FMH9-GPQH-G53G SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode

Summary The advisory GHSA-c77m-r996-jr3q patched getBookmark so that, when invoked by a publish-mode RoleReader, results are filtered through FilterBlocksByPublishAccess to remove entries from password-protected / publish-ignored notebooks. Four sibling search handlers in the same file did not...

4.3CVSS5.8AI score0.00221EPSS
Exploits0References3
github
github
added 2026/05/13 3:33 p.m.20 views

SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode

Summary The advisory GHSA-c77m-r996-jr3q patched getBookmark so that, when invoked by a publish-mode RoleReader, results are filtered through FilterBlocksByPublishAccess to remove entries from password-protected / publish-ignored notebooks. Four sibling search handlers in the same file did not...

4.3CVSS5.8AI score0.00221EPSS
Exploits0References3Affected Software1
ptsecurity
ptsecurity
added 2026/05/13 12:0 a.m.15 views

PT-2026-40727

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.0 Description Broken access control in the publish-mode allows readers to enumerate metadata from documents that are invisible to the publish service. This occurs because certain search handlers do not filter...

4.3CVSS5.8AI score0.00221EPSS
Exploits0References5
osv
osv
added 2026/03/31 11:30 p.m.8 views

GHSA-C77M-R996-JR3Q SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark

Summary The publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccessnil, .... Because the filter treats a nil context as authorized,...

7.5CVSS5.9AI score0.01227EPSS
Exploits1References5
nvd
nvd
added 2026/02/12 8:16 p.m.5 views

CVE-2026-25767

LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts they are not...

8.6CVSS0.00251EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/02/12 12:0 a.m.18 views

PT-2026-7896

Name of the Vulnerable Software and Affected Versions LavinMQ versions prior to 2.6.8 Description LavinMQ is a high-performance message queue and streaming server. An authenticated user with the “Policymaker” tag could create shovels bypassing access controls. Specifically, an authenticated user...

8.6CVSS5.4AI score0.00251EPSS
Exploits0References10
Rows per page
Query Builder