13 matches found
SiYuan <= v3.6.1 - Bookmark Data Disclosure
SiYuan v3.6.2 contains an information disclosure vulnerability caused by improper authorization checks in the publish service's bookmark filtering, letting unauthenticated visitors access bookmarked blocks from password-protected documents, exploit requires access to the publish service. id:...
CVE-2026-32767
SiYuan (personal knowledge management) versions 3.6.0 and earlier are affected by an authorization bypass in the /api/search/fullTextSearchBlock endpoint. When the method parameter is 2, user input is passed directly as a raw SQL statement to the SQLite database without authorization or read‑only...
CVE-2026-32815 SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint /ws allows unauthenticated connections when specific URL parameters are provided ?app=siyuan&id=auth&type=auth. This bypass, intended for the login page to keep the kernel alive, allows any...
EUVD-2024-51983
Malicious code in bioql PyPI...
EUVD-2024-27638
Malicious code in bioql PyPI...
EUVD-2024-51985
Malicious code in bioql PyPI...
CVE-2024-55659 SiYuan has an arbitrary file write in the host via /api/asset/upload
SiYuan is a personal knowledge management system. Prior to version 3.1.16, the /api/asset/upload endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting via the file write. Version 3.1.16 contains a patch for the issue...
CVE-2024-53507
A SQL injection vulnerability was discovered in Siyuan 3.1.11 in /getHistoryItems...
CVE-2024-53505
A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the id parameter at /getAssetContent...
CVE-2024-2692
SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS...
CVE-2024-2692
SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS...
CVE-2024-2692
CVE-2024-2692 affects SiYuan version 3.0.3, with a Server-Side XSS weakness that allows an attacker to execute arbitrary commands on the server. The vulnerability is described across multiple sources as enabling remote command execution due to improper handling of input leading to server-side cod...
PT-2024-21583 · Siyuan · Siyuan
Name of the Vulnerable Software and Affected Versions: SiYuan version 3.0.3 Description: The issue allows executing arbitrary commands on the server due to the application being vulnerable to Server Side XSS. Recommendations: For SiYuan version 3.0.3, update to a version that fixes the Server Sid...