Siyuan
by Siyuan Note
Source repositories
CVEs (74)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-32767 | 0.00 | — | 0.01 | Mar 20, 2026 | SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL… | |||
| CVE-2026-32815 | 0.00 | — | 0.00 | Mar 19, 2026 | SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel… | |||
| CVE-2026-32750 | 0.00 | — | 0.00 | Mar 19, 2026 | SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and… | |||
| CVE-2026-32751 | 0.00 | — | 0.01 | Mar 19, 2026 | SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses… | |||
| CVE-2026-32749 | 0.00 | — | 0.00 | Mar 19, 2026 | SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to… | |||
| CVE-2026-32747 | 0.00 | — | 0.00 | Mar 19, 2026 | SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles API eads source files using filepath.Abs() with no workspace boundary check, relying solely on util.IsSensitivePath() whose blocklist omits /proc/, /run/secrets/, and home… | |||
| CVE-2026-32704 | 0.00 | — | 0.00 | Mar 13, 2026 | SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and… | |||
| CVE-2026-32110 | 0.00 | — | 0.00 | Mar 11, 2026 | SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full… | |||
| CVE-2026-31809 | 0.00 | — | 0.01 | Mar 10, 2026 | SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting ASCII tab ( ), newline ( ), or carriage return ( ) characters inside… | |||
| CVE-2026-31807 | 0.00 | — | 0.00 | Mar 10, 2026 | SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (, , ) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation… | |||
| CVE-2026-30869 | 0.00 | — | 0.01 | Mar 9, 2026 | SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double‑encoded traversal sequences, an attacker can access sensitive… | |||
| CVE-2026-30926 | 0.00 | — | 0.00 | Mar 9, 2026 | SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API… | |||
| CVE-2026-29183 | 0.00 | — | 0.01 | Mar 6, 2026 | SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping.… | |||
| CVE-2026-29073 | 0.00 | — | 0.00 | Mar 6, 2026 | SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in… | |||
| CVE-2026-25992 | 0.00 | — | 0.01 | Feb 10, 2026 | SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems such as Windows, attackers can bypass restrictions using mixed-case… | |||
| CVE-2026-25647 | 0.00 | — | 0.00 | Feb 6, 2026 | Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note.… | |||
| CVE-2026-25539 | 0.00 | — | 0.01 | Feb 4, 2026 | SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by… | |||
| CVE-2026-23852 | 0.00 | — | 0.01 | Jan 19, 2026 | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is… | |||
| CVE-2026-23851 | 0.00 | — | 0.00 | Jan 19, 2026 | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace… | |||
| CVE-2026-23847 | 0.00 | — | 0.00 | Jan 19, 2026 | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted… |
- CVE-2026-32767Mar 20, 2026risk 0.00cvss —epss 0.01
SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL…
- CVE-2026-32815Mar 19, 2026risk 0.00cvss —epss 0.00
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel…
- CVE-2026-32750Mar 19, 2026risk 0.00cvss —epss 0.00
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and…
- CVE-2026-32751Mar 19, 2026risk 0.00cvss —epss 0.01
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses…
- CVE-2026-32749Mar 19, 2026risk 0.00cvss —epss 0.00
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to…
- CVE-2026-32747Mar 19, 2026risk 0.00cvss —epss 0.00
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles API eads source files using filepath.Abs() with no workspace boundary check, relying solely on util.IsSensitivePath() whose blocklist omits /proc/, /run/secrets/, and home…
- CVE-2026-32704Mar 13, 2026risk 0.00cvss —epss 0.00
SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and…
- CVE-2026-32110Mar 11, 2026risk 0.00cvss —epss 0.00
SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full…
- CVE-2026-31809Mar 10, 2026risk 0.00cvss —epss 0.01
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting ASCII tab ( ), newline ( ), or carriage return ( ) characters inside…
- CVE-2026-31807Mar 10, 2026risk 0.00cvss —epss 0.00
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (, , ) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation…
- CVE-2026-30869Mar 9, 2026risk 0.00cvss —epss 0.01
SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double‑encoded traversal sequences, an attacker can access sensitive…
- CVE-2026-30926Mar 9, 2026risk 0.00cvss —epss 0.00
SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API…
- CVE-2026-29183Mar 6, 2026risk 0.00cvss —epss 0.01
SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping.…
- CVE-2026-29073Mar 6, 2026risk 0.00cvss —epss 0.00
SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in…
- CVE-2026-25992Feb 10, 2026risk 0.00cvss —epss 0.01
SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems such as Windows, attackers can bypass restrictions using mixed-case…
- CVE-2026-25647Feb 6, 2026risk 0.00cvss —epss 0.00
Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note.…
- CVE-2026-25539Feb 4, 2026risk 0.00cvss —epss 0.01
SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by…
- CVE-2026-23852Jan 19, 2026risk 0.00cvss —epss 0.01
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is…
- CVE-2026-23851Jan 19, 2026risk 0.00cvss —epss 0.00
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace…
- CVE-2026-23847Jan 19, 2026risk 0.00cvss —epss 0.00
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted…
Page 3 of 4