716 matches found
SiYuan <= 3.6.5 - Unauthenticated Path Traversal
SiYuan = 3.6.5 contains a path traversal via double URL-encoding in the /assets/ route publish mode port 6808, allowing unauthenticated attackers to read arbitrary files inside WorkspaceDir including conf/conf.json which exposes the API token and access auth code. id: CVE-2026-54066 info: name:...
SiYuan Note <= 3.6.5 - Authentication Bypass
SiYuan Note 3.6.5 and prior is vulnerable to authentication bypass. The CheckAuth middleware unconditionally trusted all chrome-extension:// origins, granting RoleAdministrator access without token validation to any request with a spoofed Origin header. Fixed in v3.7.0. id: CVE-2026-54069 info:...
SiYuan <= v3.6.1 - Path Traversal
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under /appearance/filepath. Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server...
SiYuan <= v3.5.9 - Cross Site Scripting
SiYuan v3.5.10 contains a reflected XSS caused by improper sanitization of javascript: href attributes allowing ASCII control characters to bypass prefix checks in SVG sanitizer, letting unauthenticated attackers execute JavaScript via /api/icon/getDynamicIcon. id: CVE-2026-31809 info: name: SiYu...
SiYuan <= v3.6.1 - Bookmark Data Disclosure
SiYuan v3.6.2 contains an information disclosure vulnerability caused by improper authorization checks in the publish service's bookmark filtering, letting unauthenticated visitors access bookmarked blocks from password-protected documents, exploit requires access to the publish service. id:...
SiYuan <= v3.5.9 - SVG Animate Element XSS
SiYuan = v3.5.9 contains a reflected XSS caused by insufficient SVG sanitization allowing SVG animation elements to inject executable JavaScript in /api/icon/getDynamicIcon endpoint, letting unauthenticated attackers execute scripts. id: CVE-2026-31807 info: name: SiYuan = v3.5.9 - SVG Animate...
SiYuan Note - Cross-Site Scripting
Unauthenticated reflected cross-site scripting XSS vulnerability in all versions of SiYuan Note containing /api/icon/getDynamicIcon with unsafe type=8 rendering logic. Attacker-controlled content is inserted directly into SVG output without proper sanitization. An attacker can execute arbitrary...
CVE-2026-54068
creationtimestamp| type| source ---|---|--- 2026-07-10 20:35:17+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-gcm7-57gf-953c 2026-07-11 04:41:43+00:00| seen| https://gist.github.com/alon710/5b22d6c437eabc82b89ba6fa8ccee27d...
EUVD-2026-39127
SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML...
EUVD-2026-39126
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers...
EUVD-2026-39125
SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist...
EUVD-2026-39124
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon...
EUVD-2026-39123
SiYuan: Stored XSS to RCE via CSS-snippet breakout in renderSnippet...
EUVD-2026-39122
SiYuan: Path Traversal via Double URL Encoding in /assets/path publish mode arbitrary file─read, Incomplete fix of CVE-2026-41894...
CVE-2026-59854
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, POST /api/file/globalCopyFiles accepts attacker-supplied absolute source paths and relies on util.IsSensitivePath in kernel/util/path.go, whose denylist misses common home-directory credential files such as...
CVE-2026-59855
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, Asset.render in app/src/asset/index.ts interpolates the unsanitized this.path value into HTML assigned to innerHTML, allowing a crafted asset link containing a double quote to break out of the src attribute, inject an...
CVE-2026-59834
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the block search endpoint POST /api/search/fullTextSearchBlock concatenates attacker-controlled paths values into SQL predicates used by non-SQL search modes, allowing an unauthenticated publish visitor to inject a UNI...
CVE-2026-59854
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, POST /api/file/globalCopyFiles accepts attacker-supplied absolute source paths and relies on util.IsSensitivePath in kernel/util/path.go, whose denylist misses common home-directory credential files such as...
CVE-2026-59854
SiYuan (open-source PKM) prior to 3.7.1 allows an authenticated administrator or API-token user to copy home-directory credential files into the workspace via POST /api/file/globalCopyFiles. The root cause is util.IsSensitivePath’s denylist in kernel/util/path.go missing common home-dir dotfiles ...
CVE-2026-59854 SiYuan: Incomplete IsSensitivePath denylist: globalCopyFiles reads home-dir credential dotfiles into the workspace
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, POST /api/file/globalCopyFiles accepts attacker-supplied absolute source paths and relies on util.IsSensitivePath in kernel/util/path.go, whose denylist misses common home-directory credential files such as...