Go modules package
github.com/siyuan-note/siyuan
pkg:golang/github.com/siyuan-note/siyuan
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32940 | — | <= 0.0.0-20260313024916-fd6526133bb3 | — | Mar 20, 2026 | SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScr | ||
| CVE-2026-32750 | — | <= 0.0.0-20260313024916-fd6526133bb3 | — | Mar 19, 2026 | SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanent |
- CVE-2026-32940Mar 20, 2026affected <= 0.0.0-20260313024916-fd6526133bb3
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScr
- CVE-2026-32750Mar 19, 2026affected <= 0.0.0-20260313024916-fd6526133bb3
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanent