Siyuan Security Vulnerabilities and Issues — Siyuan CVE List

Lucene search

B3logSiyuan

11 matches found

CVE•added 2025/01/03 5:15 p.m.•93 views

CVE-2025-21609

SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the POST /api/history/getDocHistoryContent endpoint. An attacker can craft a payload to exploit this vulnerability, resulti...

9.1CVSS6.5AI score0.00165EPSS

CVE•added 2024/12/12 2:15 a.m.•85 views

CVE-2024-55659

SiYuan is a personal knowledge management system. Prior to version 3.1.16, the /api/asset/upload endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue.

8.7CVSS6.2AI score0.00067EPSS

CVE•added 2024/12/12 2:15 a.m.•81 views

CVE-2024-55657

SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Version 3.1.16 cont...

8.7CVSS6.8AI score0.00192EPSS

CVE•added 2024/12/12 2:15 a.m.•79 views

CVE-2024-55658

SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing...

8.7CVSS6.9AI score0.00155EPSS

CVE•added 2024/12/12 2:15 a.m.•79 views

CVE-2024-55660

SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/template/renderSprig endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables. ...

9.8CVSS7.2AI score0.00216EPSS

CVE•added 2024/11/29 8:15 p.m.•69 views

CVE-2024-53507

A SQL injection vulnerability was discovered in Siyuan 3.1.11 in /getHistoryItems.

9.8CVSS8AI score0.00052EPSS

CVE•added 2024/11/29 8:15 p.m.•64 views

CVE-2024-53506

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /batchGetBlockAttrs.

9.8CVSS8AI score0.00163EPSS

CVE•added 2024/11/29 8:15 p.m.•60 views

CVE-2024-53504

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /searchHistory.

9.8CVSS8AI score0.00041EPSS

CVE•added 2024/11/29 8:15 p.m.•53 views

CVE-2024-53505

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the id parameter at /getAssetContent.

9.8CVSS8AI score0.00101EPSS

CVE•added 2024/04/04 2:15 a.m.•46 views

CVE-2024-2692

SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS.

9CVSS9.3AI score0.00167EPSS

CVE•added 2024/07/21 5:15 a.m.•38 views

CVE-2024-6938

A vulnerability has been found in SiYuan 3.1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file PDF.js of the component PDF Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclos...

5.4CVSS3.8AI score0.00214EPSS