VYPR

Siyuan

by Siyuan Note

Source repositories

CVEs (74)

  • CVE-2026-45147MedMay 14, 2026
    risk 0.21cvss 4.3epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, POST /api/tag/getTag is registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly, despite the handler performing a configuration write that is normally guarded…

  • CVE-2026-55570Jun 24, 2026
    risk 0.00cvss epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields (name, version, author, description) when they are serialized into the data-obj HTML attribute of each marketplace card. Because the attribute is single-quoted…

  • CVE-2026-54759Jun 24, 2026
    risk 0.00cvss epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious in a Bazaar package…

  • CVE-2026-50551Jun 24, 2026
    risk 0.00cvss epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan contains a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client.…

  • CVE-2026-54158Jun 24, 2026
    risk 0.00cvss epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the attribute-view (database) cell renderer genAVValueHTML interpolates cell content raw in four of its branches: text, url, phone, and mAsset. A cell value like …

  • CVE-2026-54069Jun 24, 2026
    risk 0.00cvss epss 0.01

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined…

  • CVE-2026-54068Jun 24, 2026
    risk 0.00cvss epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router (router.go, "不需要鉴权" -- no auth needed). When called with type=8 and a valid block…

  • CVE-2026-54067Jun 24, 2026
    risk 0.00cvss epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, CSS snippet body containing breaks out of its surrounding tag when renderSnippet() interpolates it via insertAdjacentHTML. A payload like runs arbitrary JavaScript in the renderer. On…

  • CVE-2026-54066Jun 24, 2026
    risk 0.00cvss epss 0.02

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding") sanitized the /export/ route but the identical root cause remains in the /assets/*path route. In publish mode (anonymous…

  • CVE-2026-56397Jun 21, 2026
    risk 0.00cvss epss 0.00

    SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads…

  • CVE-2026-56395Jun 21, 2026
    risk 0.00cvss epss 0.00

    SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads…

  • CVE-2026-33670Mar 26, 2026
    risk 0.00cvss epss 0.01

    SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook. Version 3.6.2 patches the issue.

  • CVE-2026-33669Mar 26, 2026
    risk 0.00cvss epss 0.01

    SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. Version 3.6.2 patches the issue.

  • CVE-2026-33476Mar 20, 2026
    risk 0.00cvss epss 0.03

    SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files…

  • CVE-2026-33203Mar 20, 2026
    risk 0.00cvss epss 0.01

    SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type…

  • CVE-2026-33194Mar 20, 2026
    risk 0.00cvss epss 0.00

    SiYuan is a personal knowledge management system. Prior to version 3.6.2, the `IsSensitivePath()` function in `kernel/util/path.go` uses a denylist approach that was recently expanded (GHSA-h5vh-m7fg-w5h6, commit 9914fd1) but remains incomplete. Multiple security-relevant Linux…

  • CVE-2026-33067Mar 20, 2026
    risk 0.00cvss epss 0.01

    SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes…

  • CVE-2026-33066Mar 20, 2026
    risk 0.00cvss epss 0.01

    SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to…

  • CVE-2026-32940Mar 20, 2026
    risk 0.00cvss epss 0.00

    SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with…

  • CVE-2026-32938Mar 20, 2026
    risk 0.00cvss epss 0.00

    SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list.…