VYPR
Vendor

Siyuan Note

Products
1
CVEs
74
Across products
74
Status
Private

Products

1

Recent CVEs

74
View all 74 CVEs →
  • CVE-2026-34449CriMar 31, 2026
    risk 0.55cvss 9.6epss 0.01

    SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network:…

  • CVE-2026-44670CriMay 14, 2026
    risk 0.54cvss epss 0.01

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName) to embed the name in HTML before…

  • CVE-2026-44588CriMay 14, 2026
    risk 0.54cvss epss 0.01

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, he tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to messageElement.innerHTML in…

  • CVE-2026-44586HigMay 14, 2026
    risk 0.54cvss 8.3epss 0.00

    SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's…

  • CVE-2026-45375CriMay 14, 2026
    risk 0.52cvss 9.0epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's plugin.json (and the equivalent theme.json / template.json / widget.json / icon.json) into the Settings →…

  • CVE-2026-40322CriApr 16, 2026
    risk 0.52cvss 9.0epss 0.00

    SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid…

  • CVE-2026-39846CriApr 7, 2026
    risk 0.52cvss 9.0epss 0.01

    SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped…

  • CVE-2026-34448CriMar 31, 2026
    risk 0.52cvss 9.0epss 0.00

    SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigger stored XSS when a victim opens the Gallery or Kanban view with “Cover From -> Asset Field” enabled. The vulnerable…

  • CVE-2026-41421HigApr 24, 2026
    risk 0.50cvss 8.8epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled msg value, forwards it through the…

  • CVE-2026-34585HigMar 31, 2026
    risk 0.49cvss 8.6epss 0.00

    SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a…

  • CVE-2026-40318HigApr 16, 2026
    risk 0.48cvss 8.5epss 0.00

    SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject…

  • CVE-2026-45371HigMay 14, 2026
    risk 0.47cvss epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST…

  • CVE-2026-40259HigApr 16, 2026
    risk 0.46cvss 8.1epss 0.00

    SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id…

  • CVE-2026-34453HigMar 31, 2026
    risk 0.42cvss 7.5epss 0.01

    SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling…

  • CVE-2026-23850HigJan 19, 2026
    risk 0.42cvss 7.5epss 0.01

    SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue.

  • CVE-2026-41894HigApr 24, 2026
    risk 0.39cvss epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause — a redundant url.PathUnescape() call in serveExport(). An authenticated attacker can use…

  • CVE-2026-40107MedApr 9, 2026
    risk 0.35cvss 6.5epss 0.00

    SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, tags with src attributes survive Mermaid's internal DOMPurify and land in SVG blocks. The SVG is…

  • CVE-2026-34605MedMar 31, 2026
    risk 0.33cvss 6.1epss 0.00

    SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such…

  • CVE-2026-40922MedApr 17, 2026
    risk 0.28cvss 5.4epss 0.00

    SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for CVE-2026-33066) enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix…

  • CVE-2026-45148MedMay 14, 2026
    risk 0.21cvss 4.3epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, broken access control in the searchAsset, searchTag, searchWidget, and searchTemplate publish-mode Readers can enumerate metadata from documents that are invisible to the publish service. This…