SiYuan Note - Cross-Site Scripting

Unauthenticated reflected cross-site scripting XSS vulnerability in all versions of SiYuan Note containing /api/icon/getDynamicIcon with unsafe type=8 rendering logic. Attacker-controlled content is inserted directly into SVG output without proper sanitization. An attacker can execute arbitrary...

GO-2026-4993 SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) in github.com/siyuan-note/siyuan/kernel

SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink incomplete fix for CVE-2026-34585 in github.com/siyuan-note/siyuan/kernel...

CVE-2026-45148

creationtimestamp| type| source ---|---|--- 2026-05-08 03:05:45+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fmh9-gpqh-g53g...

CVE-2026-45147

creationtimestamp| type| source ---|---|--- 2026-05-08 02:49:57+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-6r88-8v7q-q4p2...

CVE-2026-44670

creationtimestamp| type| source ---|---|--- 2026-05-04 07:03:18+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-2h64-c999-c9r6...

CVE-2026-41894

creationtimestamp| type| source ---|---|--- 2026-04-19 09:48:52+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hjh7-r5w8-5872...

Permissive Cross-domain Policy with Untrusted Domains

Overview Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains through the permissive CORS policy in the serve.go middleware and the snippet injection process. An attacker can execute arbitrary code and exfiltrate sensitive data by enticing a us...

SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API

Summary SiYuan Note v3.6.0 and likely prior versions contains an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database...

CVE-2026-32751

creationtimestamp| type| source ---|---|--- 2026-03-14 04:26:17+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qr46-rcv3-4hq3...

CVE-2026-32750

creationtimestamp| type| source ---|---|--- 2026-03-14 04:13:11+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rjhh-m223-9qqv...

CVE-2026-32747

creationtimestamp| type| source ---|---|--- 2026-03-14 03:14:30+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-h5vh-m7fg-w5h6...

CVE-2026-32110

creationtimestamp| type| source ---|---|--- 2026-03-11 01:11:29+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-56cv-c5p2-j2wg...

CVE-2026-30926 SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...

CVE-2026-30926

Technical details about CVE-2026-30926 are not provided in the connected documents. The initial description contains specifics, but the connected SUSE/PTSecurity updates do not elaborate on affected products or impact. Monitor for official advisories.

CVE-2026-30926 SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...

CVE-2026-30926 SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...

CVE-2026-31809

creationtimestamp| type| source ---|---|--- 2026-03-09 08:40:48+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr...

CVE-2026-30926

creationtimestamp| type| source ---|---|--- 2026-03-07 02:16:33+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523...

SUSE CVE-2026-23645

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting XSS vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file e.g., imported from an...

CVE-2026-25647 Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink

Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier as used in SiYuan before has a Stored Cross-Site Scripting XSS vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks...