7 matches found
CVE-2025-21609
SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the POST /api/history/getDocHistoryContent endpoint. An attacker can craft a payload to exploit this vulnerability, resulti...
CVE-2024-55660
SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/template/renderSprig endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables. ...
CVE-2024-53507
A SQL injection vulnerability was discovered in Siyuan 3.1.11 in /getHistoryItems.
CVE-2024-53506
A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /batchGetBlockAttrs.
CVE-2024-53504
A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /searchHistory.
CVE-2024-53505
A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the id parameter at /getAssetContent.
CVE-2024-2692
SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS.