2 matches found
CVE-2026-33067
SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields displayName, description using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when an...
CVE-2026-32751
SiYuan vulnerability CVE-2026-32751 affects versions 3.6.0 and earlier where the mobile file tree (MobileFiles.ts) renders notebook names with innerHTML without escaping during renamenotebook WebSocket events. This allows an authenticated user who can rename notebooks to inject HTML/JavaScript th...