216 matches found
SiYuan Note - Cross-Site Scripting
SiYuan Note through version 3.6.1 is vulnerable to unauthenticated reflected Cross-Site Scripting XSS in the /api/icon/getDynamicIcon endpoint due to improper filtering of SVG elements with a namespace prefix such as . By using a namespaced script element, attackers can bypass the SanitizeSVG...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: “Revert ‘drm/amd/pm: resolve reboot exception for si oland’” This fix is reflected in commit e490d60a2f76bff636c68ce4fe34c1b6c34bbd86. This issue causes hangs on SI when DC is enabled, and errors occur during driver-related reboo...
Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clean up sidomain in the initdmars error path A splat from kmemcachedestroy was observed in a previous version of the kernel commit ee2653bbe89d, “iommu/vt-d: Remove domain and devinfo mempool” when there was a failur...
SUSE CVE-2026-46108
In the Linux kernel, the following vulnerability has been resolved: ipmi:si: Return state to normal if message allocation fails There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state...
CVE-2026-46108
In the Linux kernel, the following vulnerability has been resolved: ipmi:si: Return state to normal if message allocation fails There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state...
CVE-2026-46108
In the Linux kernel, the following vulnerability has been resolved: ipmi:si: Return state to normal if message allocation fails There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state...
Linux kernel 安全漏洞
The Linux kernel is the kernel used by the Linux operating system developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the ipmi:si driver failing to restore its state when message allocation fails...
CVE-2026-44588
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, he tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to messageElement.innerHTML in app/src/dialog/tooltip.ts:41. The...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010874)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-010874 advisory. In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clean up sidomain in the initdmars error path A splat from kmemcachedestroy was seen...
CVE-2026-25599
creationtimestamp| type| source ---|---|--- 2026-04-16 22:11:24+00:00| seen| https://www.cert.si/en/cve-2026-25599 2026-06-01 13:02:35+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mna5bhwura2j...
CVE-2026-34605
SiYuan 3.6.0–3.6.1 suffer a bypass of the SanitizeSVG XSS fix on the unauthenticated /api/icon/getDynamicIcon endpoint. The Go HTML5 parser records namespace-prefixed SVG tags as x:script, allowing the tag to bypass the numeric sprite check; when served as image/svg+xml without a CSP, the browser...
CVE-2026-34448 SiYuan: Stored XSS in Attribute View gallery/kanban cover rendering allows arbitrary command execution in the desktop client
SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigger stored XSS when a victim opens the Gallery or Kanban view with “Cover From - Asset Field” enabled. The vulnerable code accepts arbitrary...
PT-2026-29377
Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2 Description A security flaw exists in SiYuan that allows a malicious website to achieve Remote Code Execution RCE on a desktop system running the application. This is possible due to a permissive CORS policy...
SUSE CVE-2026-32938
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET...
CVE-2026-33670
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook. Version 3.6.2 patches the issue...
CVE-2026-33670 SiYuan has directory traversal within its publishing service
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook. Version 3.6.2 patches the issue...
SUSE CVE-2026-31807
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG blocks dangerous elements , , and removes on event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements , which can dynamically set attributes to dangero...
SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata
Stored XSS to RCE via Unsanitized Bazaar Package Metadata Summary SiYuan's Bazaar community marketplace renders package metadata fields displayName, description using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which...
PT-2026-25859
Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and below Description SiYuan, a personal knowledge management system, contains an authorization bypass that allows authenticated users, including those with the Reader role, to execute arbitrary SQL statements against the...
EUVD-2026-10394
SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...