Lucene search
K

35 matches found

Nuclei
Nuclei
added yesterday10 views

SiYuan <= v3.6.1 - Bookmark Data Disclosure

SiYuan v3.6.2 contains an information disclosure vulnerability caused by improper authorization checks in the publish service's bookmark filtering, letting unauthenticated visitors access bookmarked blocks from password-protected documents, exploit requires access to the publish service. id:...

7.5CVSS5.8AI score0.01227EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/16 10:49 p.m.5 views

CVE-2026-40259 SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via removeUnusedAttributeView API

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id directly to a model...

8.1CVSS5.8AI score0.004EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/16 10:49 p.m.3 views

CVE-2026-40259

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id directly to a model...

8.1CVSS5.9AI score0.004EPSS
Exploits1References3Affected Software1
Snyk
Snyk
added 2026/04/10 7:32 p.m.5 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization via the /api/av/removeUnusedAttributeView process. An attacker can delete arbitrary attribute view definition files and disrupt workspace integrity and availability by sending crafted requests with a valid reader...

8.1CVSS5.9AI score0.004EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/04/01 11:0 p.m.9 views

CVE-2026-34453

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling...

7.5CVSS5.8AI score0.01227EPSS
Exploits1References1
NVD
NVD
added 2026/03/31 10:16 p.m.4 views

CVE-2026-34453

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling...

7.5CVSS0.01227EPSS
Exploits1References3
EUVD
EUVD
added 2026/03/31 9:43 p.m.8 views

EUVD-2026-17683

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling...

7.5CVSS5.8AI score0.01227EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/31 9:43 p.m.23 views

CVE-2026-34453 SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling...

7.5CVSS0.01227EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/31 9:43 p.m.6 views

CVE-2026-34453

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling...

7.5CVSS5.8AI score0.01227EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/31 9:43 p.m.5 views

CVE-2026-34453 SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling...

7.5CVSS5.8AI score0.01227EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.6 views

PT-2026-29381

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2 Description The publish service in SiYuan allows unauthenticated visitors to access bookmarked blocks from password-protected documents. This occurs because the /api/bookmark/getBookmark endpoint, when operating ...

7.5CVSS5.9AI score0.01227EPSS
Exploits1References10
SUSE CVE
SUSE CVE
added 2026/03/28 12:26 a.m.2 views

SUSE CVE-2026-32750

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their...

6.8CVSS5.8AI score0.00431EPSS
Exploits1References3
OSV
OSV
added 2026/03/26 8:33 p.m.2 views

GO-2026-4722 SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service in github.com/siyuan-note/siyuan/kernel

SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service in github.com/siyuan-note/siyuan/kernel...

9.9CVSS5.9AI score0.00414EPSS
Exploits1References4
SUSE CVE
SUSE CVE
added 2026/03/25 12:25 a.m.4 views

SUSE CVE-2026-30926

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...

7.1CVSS5.9AI score0.00311EPSS
Exploits1References3
CVE
CVE
added 2026/03/20 3:19 a.m.13 views

CVE-2026-32938

SiYuan desktop users running versions 3.6.0 and earlier are affected. The flaw in /api/lute/html2BlockDOM allows copying local files referenced by file:// links into the workspace assets directory without validating against a sensitive-path list. When combined with authenticated GET /assets/*path...

9.9CVSS5.7AI score0.00414EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/03/20 3:19 a.m.21 views

CVE-2026-32938 SiYuan has an Arbitrary File Read in its Desktop Publish Service

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET...

9.9CVSS0.00414EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/20 3:19 a.m.4 views

CVE-2026-32938 SiYuan has an Arbitrary File Read in its Desktop Publish Service

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET...

9.9CVSS5.8AI score0.00414EPSS
Exploits1References3
OSV
OSV
added 2026/03/20 3:19 a.m.4 views

CVE-2026-32938 SiYuan has an Arbitrary File Read in its Desktop Publish Service

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET...

9.9CVSS6.2AI score0.00414EPSS
Exploits1References5
CVE
CVE
added 2026/03/19 9:15 p.m.15 views

CVE-2026-32750

CVE-2026-32750 (SiYuan) affects SiYuan versions 3.6.0 and earlier. The vulnerability occurs in POST /api/import/importStdMd, where the localPath parameter is passed directly to model.ImportFromLocalPath without path validation. The function recursively reads every file under the provided path and...

6.8CVSS5.8AI score0.00431EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/03/19 9:15 p.m.26 views

CVE-2026-32750 SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their...

6.8CVSS0.00431EPSS
Exploits1References3
Rows per page
Query Builder