Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
23 vulnerabilities by siyuan-note
CVE-2026-32704 (GCVE-0-2026-32704)
Vulnerability from cvelistv5 – Published: 2026-03-13 21:10 – Updated: 2026-03-16 16:46
VLAI?
Title
SiYuan renderSprig: missing admin check allows any user to read full workspace DB
Summary
SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. This vulnerability is fixed in 3.6.1.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.6.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32704",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T16:46:56.066894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T16:46:59.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4j3x-hhg2-fm2x"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. This vulnerability is fixed in 3.6.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T21:10:36.613Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4j3x-hhg2-fm2x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4j3x-hhg2-fm2x"
}
],
"source": {
"advisory": "GHSA-4j3x-hhg2-fm2x",
"discovery": "UNKNOWN"
},
"title": "SiYuan renderSprig: missing admin check allows any user to read full workspace DB"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32704",
"datePublished": "2026-03-13T21:10:36.613Z",
"dateReserved": "2026-03-13T14:33:42.823Z",
"dateUpdated": "2026-03-16T16:46:59.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32110 (GCVE-0-2026-32110)
Vulnerability from cvelistv5 – Published: 2026-03-11 20:38 – Updated: 2026-03-12 14:01
VLAI?
Title
SiYuan has a Full-Read SSRF via /api/network/forwardProxy
Summary
SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services. This vulnerability is fixed in 3.6.0.
Severity ?
8.3 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.6.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32110",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T14:00:57.301937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T14:01:27.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services. This vulnerability is fixed in 3.6.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T20:38:08.708Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-56cv-c5p2-j2wg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-56cv-c5p2-j2wg"
}
],
"source": {
"advisory": "GHSA-56cv-c5p2-j2wg",
"discovery": "UNKNOWN"
},
"title": "SiYuan has a Full-Read SSRF via /api/network/forwardProxy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32110",
"datePublished": "2026-03-11T20:38:08.708Z",
"dateReserved": "2026-03-10T22:02:38.855Z",
"dateUpdated": "2026-03-12T14:01:27.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31809 (GCVE-0-2026-31809)
Vulnerability from cvelistv5 – Published: 2026-03-10 20:58 – Updated: 2026-03-11 16:00
VLAI?
Title
SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS
Summary
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting ASCII tab (	), newline ( ), or carriage return ( ) characters inside the javascript: string bypasses this prefix check. Browsers strip these characters per the WHATWG URL specification before parsing the URL scheme, so the JavaScript still executes. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint, creating a reflected XSS. This is a second bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in 3.5.10.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.5.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31809",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:23:59.939812Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T16:00:20.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan\u0027s SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting ASCII tab (\u0026#9;), newline (\u0026#10;), or carriage return (\u0026#13;) characters inside the javascript: string bypasses this prefix check. Browsers strip these characters per the WHATWG URL specification before parsing the URL scheme, so the JavaScript still executes. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint, creating a reflected XSS. This is a second bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in 3.5.10."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T20:58:36.228Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr"
}
],
"source": {
"advisory": "GHSA-pmc9-f5qr-2pcr",
"discovery": "UNKNOWN"
},
"title": "SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI \u2014 Unauthenticated XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31809",
"datePublished": "2026-03-10T20:58:36.228Z",
"dateReserved": "2026-03-09T16:33:42.913Z",
"dateUpdated": "2026-03-11T16:00:20.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31807 (GCVE-0-2026-31807)
Vulnerability from cvelistv5 – Published: 2026-03-10 20:56 – Updated: 2026-03-11 16:00
VLAI?
Title
SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS
Summary
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (<script>, <iframe>, <foreignobject>) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements (<animate>, <set>) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitization. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), creating a reflected XSS. This is a bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in v3.5.10.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.5.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:53:40.461914Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T16:00:25.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan\u0027s SVG sanitizer (SanitizeSVG) blocks dangerous elements (\u003cscript\u003e, \u003ciframe\u003e, \u003cforeignobject\u003e) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements (\u003canimate\u003e, \u003cset\u003e) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitization. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), creating a reflected XSS. This is a bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in v3.5.10."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T20:56:57.138Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-5hc8-qmg8-pw27",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-5hc8-qmg8-pw27"
}
],
"source": {
"advisory": "GHSA-5hc8-qmg8-pw27",
"discovery": "UNKNOWN"
},
"title": "SiYuan has a SVG Sanitizer Bypass via `\u003canimate\u003e` Element \u2014 Unauthenticated XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31807",
"datePublished": "2026-03-10T20:56:57.138Z",
"dateReserved": "2026-03-09T16:33:42.913Z",
"dateUpdated": "2026-03-11T16:00:25.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30869 (GCVE-0-2026-30869)
Vulnerability from cvelistv5 – Published: 2026-03-09 22:28 – Updated: 2026-03-10 14:18
VLAI?
Title
SiYuan has a Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage
Summary
SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double‑encoded traversal sequences, an attacker can access sensitive files such as conf/conf.json, which contains secrets including the API token, cookie signing key, and workspace access authentication code. Leaking these secrets may enable administrative access to the SiYuan kernel API, and in certain deployment scenarios could potentially be chained into remote code execution (RCE). This vulnerability is fixed in 3.5.10.
Severity ?
9.3 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.5.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30869",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T14:18:43.579827Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T14:18:46.445Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-2h2p-mvfx-868w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double\u2011encoded traversal sequences, an attacker can access sensitive files such as conf/conf.json, which contains secrets including the API token, cookie signing key, and workspace access authentication code. Leaking these secrets may enable administrative access to the SiYuan kernel API, and in certain deployment scenarios could potentially be chained into remote code execution (RCE). This vulnerability is fixed in 3.5.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T22:28:06.949Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-2h2p-mvfx-868w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-2h2p-mvfx-868w"
}
],
"source": {
"advisory": "GHSA-2h2p-mvfx-868w",
"discovery": "UNKNOWN"
},
"title": "SiYuan has a Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30869",
"datePublished": "2026-03-09T22:28:06.949Z",
"dateReserved": "2026-03-06T00:04:56.697Z",
"dateUpdated": "2026-03-10T14:18:46.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30926 (GCVE-0-2026-30926)
Vulnerability from cvelistv5 – Published: 2026-03-09 21:07 – Updated: 2026-03-10 14:58
VLAI?
Title
SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content
Summary
SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.5.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30926",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T14:58:48.132153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T14:58:53.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T21:07:07.481Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523"
}
],
"source": {
"advisory": "GHSA-f9cq-v43p-v523",
"discovery": "UNKNOWN"
},
"title": "SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30926",
"datePublished": "2026-03-09T21:07:07.481Z",
"dateReserved": "2026-03-07T16:40:05.884Z",
"dateUpdated": "2026-03-10T14:58:53.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29183 (GCVE-0-2026-29183)
Vulnerability from cvelistv5 – Published: 2026-03-06 07:18 – Updated: 2026-03-06 16:05
VLAI?
Title
SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution
Summary
SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (for example onerror) and run JavaScript in the SiYuan web origin. This can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link. This issue has been patched in version 3.5.9.
Severity ?
9.3 (Critical)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.5.9
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29183",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T15:58:07.192494Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T16:05:18.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint \"GET /api/icon/getDynamicIcon\" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (for example onerror) and run JavaScript in the SiYuan web origin. This can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link. This issue has been patched in version 3.5.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T07:18:26.058Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-6865-qjcf-286f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-6865-qjcf-286f"
}
],
"source": {
"advisory": "GHSA-6865-qjcf-286f",
"discovery": "UNKNOWN"
},
"title": "SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29183",
"datePublished": "2026-03-06T07:18:26.058Z",
"dateReserved": "2026-03-04T14:44:00.714Z",
"dateUpdated": "2026-03-06T16:05:18.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29073 (GCVE-0-2026-29073)
Vulnerability from cvelistv5 – Published: 2026-03-06 07:18 – Updated: 2026-03-09 20:03
VLAI?
Title
SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access
Summary
SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.6.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29073",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:03:08.140957Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:03:19.344Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T07:18:03.462Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-jqwg-75qf-vmf9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-jqwg-75qf-vmf9"
}
],
"source": {
"advisory": "GHSA-jqwg-75qf-vmf9",
"discovery": "UNKNOWN"
},
"title": "SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29073",
"datePublished": "2026-03-06T07:18:03.462Z",
"dateReserved": "2026-03-03T20:51:43.482Z",
"dateUpdated": "2026-03-09T20:03:19.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25992 (GCVE-0-2026-25992)
Vulnerability from cvelistv5 – Published: 2026-02-10 17:47 – Updated: 2026-02-10 19:17
VLAI?
Title
SiYuan has a File Read Interface Case Bypass Vulnerability
Summary
SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems such as Windows, attackers can bypass restrictions using mixed-case paths and read protected configuration files. This vulnerability is fixed in 3.5.5.
Severity ?
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.5.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25992",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T19:16:10.562245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T19:17:41.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems such as Windows, attackers can bypass restrictions using mixed-case paths and read protected configuration files. This vulnerability is fixed in 3.5.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T17:47:36.041Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f72r-2h5j-7639",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f72r-2h5j-7639"
},
{
"name": "https://github.com/siyuan-note/siyuan/releases/tag/v3.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.5.5"
}
],
"source": {
"advisory": "GHSA-f72r-2h5j-7639",
"discovery": "UNKNOWN"
},
"title": "SiYuan has a File Read Interface Case Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25992",
"datePublished": "2026-02-10T17:47:36.041Z",
"dateReserved": "2026-02-09T17:41:55.858Z",
"dateUpdated": "2026-02-10T19:17:41.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25647 (GCVE-0-2026-25647)
Vulnerability from cvelistv5 – Published: 2026-02-06 19:03 – Updated: 2026-02-09 15:28
VLAI?
Title
Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink
Summary
Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session.
Severity ?
4.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.5.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25647",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T15:19:30.532188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T15:28:33.222Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T19:03:36.847Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qv"
},
{
"name": "https://github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868"
}
],
"source": {
"advisory": "GHSA-rw25-98wq-76qv",
"discovery": "UNKNOWN"
},
"title": "Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25647",
"datePublished": "2026-02-06T19:03:36.847Z",
"dateReserved": "2026-02-04T05:15:41.792Z",
"dateUpdated": "2026-02-09T15:28:33.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25539 (GCVE-0-2026-25539)
Vulnerability from cvelistv5 – Published: 2026-02-04 21:39 – Updated: 2026-02-05 18:32
VLAI?
Title
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE
Summary
SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.
Severity ?
9.1 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.5.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25539",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T18:32:24.271345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T18:32:27.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:39:12.438Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9"
},
{
"name": "https://github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb"
}
],
"source": {
"advisory": "GHSA-c4jr-5q7w-f6r9",
"discovery": "UNKNOWN"
},
"title": "SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25539",
"datePublished": "2026-02-04T21:39:12.438Z",
"dateReserved": "2026-02-02T19:59:47.374Z",
"dateUpdated": "2026-02-05T18:32:27.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23852 (GCVE-0-2026-23852)
Vulnerability from cvelistv5 – Published: 2026-01-19 20:00 – Updated: 2026-01-20 20:05
VLAI?
Title
SiYuan vulnerable to Stored XSS / RCE via `setBlockAttrs` icon attribute
Summary
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix.
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.5.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23852",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:03:58.175698Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:05:02.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS \u2192 RCE via dynamic icons). Version 3.5.4 contains an updated fix."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T20:00:05.839Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vv"
},
{
"name": "https://github.com/siyuan-note/siyuan/commit/0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/commit/0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb"
}
],
"source": {
"advisory": "GHSA-7c6g-g2hx-23vv",
"discovery": "UNKNOWN"
},
"title": "SiYuan vulnerable to Stored XSS / RCE via `setBlockAttrs` icon attribute"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23852",
"datePublished": "2026-01-19T20:00:05.839Z",
"dateReserved": "2026-01-16T15:46:40.843Z",
"dateUpdated": "2026-01-20T20:05:02.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23851 (GCVE-0-2026-23851)
Vulnerability from cvelistv5 – Published: 2026-01-19 19:57 – Updated: 2026-01-20 20:05
VLAI?
Title
SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality
Summary
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation. The vulnerability exists in the api/file.go source code. The function globalCopyFiles accepts a list of source paths (srcs) from the JSON request body. While the code checks if the source file exists using filelock.IsExist(src), it fails to validate whether the source path resides within the authorized workspace directory. Version 3.5.4 patches the issue.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.5.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23851",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T19:37:06.552446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:05:11.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server\u0027s filesystem into the application\u0027s workspace without proper path validation. The vulnerability exists in the api/file.go source code. The function globalCopyFiles accepts a list of source paths (srcs) from the JSON request body. While the code checks if the source file exists using filelock.IsExist(src), it fails to validate whether the source path resides within the authorized workspace directory. Version 3.5.4 patches the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T19:57:29.460Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-94c7-g2fj-7682",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-94c7-g2fj-7682"
},
{
"name": "https://github.com/siyuan-note/siyuan/issues/16860",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/issues/16860"
},
{
"name": "https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd"
},
{
"name": "https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad"
}
],
"source": {
"advisory": "GHSA-94c7-g2fj-7682",
"discovery": "UNKNOWN"
},
"title": "SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23851",
"datePublished": "2026-01-19T19:57:29.460Z",
"dateReserved": "2026-01-16T15:46:40.843Z",
"dateUpdated": "2026-01-20T20:05:11.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23850 (GCVE-0-2026-23850)
Vulnerability from cvelistv5 – Published: 2026-01-19 19:52 – Updated: 2026-01-20 20:05
VLAI?
Title
SiYuan vulnerable to arbitrary file read
Summary
SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.5.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23850",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:04:00.809446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:05:16.346Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T19:56:47.029Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw"
},
{
"name": "https://github.com/siyuan-note/siyuan/issues/16860",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/issues/16860"
},
{
"name": "https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd"
},
{
"name": "https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad"
},
{
"name": "https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035"
},
{
"name": "https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886"
}
],
"source": {
"advisory": "GHSA-cv54-7wv7-qxcw",
"discovery": "UNKNOWN"
},
"title": "SiYuan vulnerable to arbitrary file read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23850",
"datePublished": "2026-01-19T19:52:58.615Z",
"dateReserved": "2026-01-16T15:46:40.843Z",
"dateUpdated": "2026-01-20T20:05:16.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23847 (GCVE-0-2026-23847)
Vulnerability from cvelistv5 – Published: 2026-01-19 19:46 – Updated: 2026-01-20 14:37
VLAI?
Title
SiYuan Vulnerable to Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
Summary
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.]
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.5.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23847",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:37:01.409541Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:37:42.649Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG \u003ctext\u003e tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.]"
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T19:46:08.980Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w836-5gpm-7r93",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w836-5gpm-7r93"
},
{
"name": "https://github.com/siyuan-note/siyuan/issues/16844",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/issues/16844"
},
{
"name": "https://github.com/siyuan-note/siyuan/commit/5c0cc375b47567e15edd2119066b09bb0aa18777",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/commit/5c0cc375b47567e15edd2119066b09bb0aa18777"
}
],
"source": {
"advisory": "GHSA-w836-5gpm-7r93",
"discovery": "UNKNOWN"
},
"title": "SiYuan Vulnerable to Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23847",
"datePublished": "2026-01-19T19:46:08.980Z",
"dateReserved": "2026-01-16T15:46:40.843Z",
"dateUpdated": "2026-01-20T14:37:42.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23645 (GCVE-0-2026-23645)
Vulnerability from cvelistv5 – Published: 2026-01-16 19:20 – Updated: 2026-01-16 21:37
VLAI?
Title
SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload
Summary
SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.5.4-dev2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23645",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T21:37:47.881335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T21:37:58.336Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4-dev2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T19:20:06.744Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j"
},
{
"name": "https://github.com/siyuan-note/siyuan/issues/16844",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/issues/16844"
},
{
"name": "https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388"
}
],
"source": {
"advisory": "GHSA-pcjq-j3mq-jv5j",
"discovery": "UNKNOWN"
},
"title": "SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23645",
"datePublished": "2026-01-16T19:20:06.744Z",
"dateReserved": "2026-01-14T16:08:37.484Z",
"dateUpdated": "2026-01-16T21:37:58.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68948 (GCVE-0-2025-68948)
Vulnerability from cvelistv5 – Published: 2025-12-27 00:21 – Updated: 2025-12-29 16:51
VLAI?
Title
SiYuan: Information Disclosure and Authentication Bypass via Hardcoded Session Secret
Summary
SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffective. Since the sensitive AccessAuthCode is stored within the session cookie, an attacker who intercepts or obtains a user's encrypted session cookie (e.g., via session hijacking) can locally decrypt it using the public key. Once decrypted, the attacker can retrieve the AccessAuthCode in plain text and use it to authenticate or take over the session.
Severity ?
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
<= 3.5.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68948",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T16:43:21.083622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T16:51:19.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f7ph-rc3w-qp28"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffective. Since the sensitive AccessAuthCode is stored within the session cookie, an attacker who intercepts or obtains a user\u0027s encrypted session cookie (e.g., via session hijacking) can locally decrypt it using the public key. Once decrypted, the attacker can retrieve the AccessAuthCode in plain text and use it to authenticate or take over the session."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-27T00:21:31.864Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f7ph-rc3w-qp28",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f7ph-rc3w-qp28"
}
],
"source": {
"advisory": "GHSA-f7ph-rc3w-qp28",
"discovery": "UNKNOWN"
},
"title": "SiYuan: Information Disclosure and Authentication Bypass via Hardcoded Session Secret"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68948",
"datePublished": "2025-12-27T00:21:31.864Z",
"dateReserved": "2025-12-26T16:36:24.151Z",
"dateUpdated": "2025-12-29T16:51:19.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67488 (GCVE-0-2025-67488)
Vulnerability from cvelistv5 – Published: 2025-12-09 20:32 – Updated: 2025-12-09 21:30
VLAI?
Title
SiYuan: ZipSlip -> Arbitrary File Overwrite -> RCE
Summary
SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain function importZipMd which is vulnerable to ZipSlips, allowing an authenticated user to overwrite files on the system. An authenticated user with access to the import functionality in notes is able to overwrite any file on the system, and can escalate to full code execution under some circumstances. A fix is planned for version 3.5.0.
Severity ?
7.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
<= 0.0.0-20251202123337-6ef83b42c7ce
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67488",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T21:29:53.279279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T21:30:12.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.0.0-20251202123337-6ef83b42c7ce"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain function importZipMd which is vulnerable to ZipSlips, allowing an authenticated user to overwrite files on the system. An authenticated user with access to the import functionality in notes is able to overwrite any file on the system, and can escalate to full code execution under some circumstances. A fix is planned for version 3.5.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T20:32:37.274Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-gqfv-g4v7-m366",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-gqfv-g4v7-m366"
},
{
"name": "https://github.com/siyuan-note/siyuan/blob/dae6158860cc704e353454565c96e874278c6f47/kernel/api/import.go#L190",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/blob/dae6158860cc704e353454565c96e874278c6f47/kernel/api/import.go#L190"
}
],
"source": {
"advisory": "GHSA-gqfv-g4v7-m366",
"discovery": "UNKNOWN"
},
"title": "SiYuan: ZipSlip -\u003e Arbitrary File Overwrite -\u003e RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67488",
"datePublished": "2025-12-09T20:32:37.274Z",
"dateReserved": "2025-12-08T18:02:08.847Z",
"dateUpdated": "2025-12-09T21:30:12.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21609 (GCVE-0-2025-21609)
Vulnerability from cvelistv5 – Published: 2025-01-03 16:26 – Updated: 2025-01-03 17:14
VLAI?
Title
SiYuan has an arbitrary file deletion vulnerability
Summary
SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.
Severity ?
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
= 3.1.18
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-21609",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T17:03:32.565543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T17:14:23.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "= 3.1.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-459",
"description": "CWE-459: Incomplete Cleanup",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552: Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T16:26:36.420Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8fx8-pffw-w498",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8fx8-pffw-w498"
},
{
"name": "https://github.com/siyuan-note/siyuan/commit/d9887aeec1b27073bec66299a9a4181dc42969f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/commit/d9887aeec1b27073bec66299a9a4181dc42969f3"
}
],
"source": {
"advisory": "GHSA-8fx8-pffw-w498",
"discovery": "UNKNOWN"
},
"title": "SiYuan has an arbitrary file deletion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-21609",
"datePublished": "2025-01-03T16:26:36.420Z",
"dateReserved": "2024-12-29T03:00:24.712Z",
"dateUpdated": "2025-01-03T17:14:23.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55660 (GCVE-0-2024-55660)
Vulnerability from cvelistv5 – Published: 2024-12-11 22:54 – Updated: 2024-12-12 16:29
VLAI?
Title
SiYuan has an SSTI via /api/template/renderSprig
Summary
SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables. Version 3.1.16 contains a patch for the issue.
Severity ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.1.16
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55660",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T16:29:04.165638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T16:29:14.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan\u0027s `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables. Version 3.1.16 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T22:54:52.564Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4pjc-pwgq-q9jp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4pjc-pwgq-q9jp"
},
{
"name": "https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71"
}
],
"source": {
"advisory": "GHSA-4pjc-pwgq-q9jp",
"discovery": "UNKNOWN"
},
"title": "SiYuan has an SSTI via /api/template/renderSprig"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55660",
"datePublished": "2024-12-11T22:54:52.564Z",
"dateReserved": "2024-12-10T15:33:57.415Z",
"dateUpdated": "2024-12-12T16:29:14.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55659 (GCVE-0-2024-55659)
Vulnerability from cvelistv5 – Published: 2024-12-11 22:53 – Updated: 2024-12-12 16:29
VLAI?
Title
SiYuan has an arbitrary file write in the host via /api/asset/upload
Summary
SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.1.16
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55659",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T16:29:34.872154Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T16:29:46.007Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T22:53:45.983Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fqj6-whhx-47p7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fqj6-whhx-47p7"
},
{
"name": "https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71"
}
],
"source": {
"advisory": "GHSA-fqj6-whhx-47p7",
"discovery": "UNKNOWN"
},
"title": "SiYuan has an arbitrary file write in the host via /api/asset/upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55659",
"datePublished": "2024-12-11T22:53:45.983Z",
"dateReserved": "2024-12-10T15:33:57.415Z",
"dateUpdated": "2024-12-12T16:29:46.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55658 (GCVE-0-2024-55658)
Vulnerability from cvelistv5 – Published: 2024-12-11 22:47 – Updated: 2024-12-12 16:30
VLAI?
Title
SiYuan has an arbitrary file read and path traversal via /api/export/exportResources
Summary
SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure. Version 3.1.16 contains a patch for the issue.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.1.16
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55658",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T16:30:04.835644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T16:30:20.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan\u0027s /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure. Version 3.1.16 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T22:47:21.809Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-25w9-wqfq-gwqx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-25w9-wqfq-gwqx"
},
{
"name": "https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71"
}
],
"source": {
"advisory": "GHSA-25w9-wqfq-gwqx",
"discovery": "UNKNOWN"
},
"title": "SiYuan has an arbitrary file read and path traversal via /api/export/exportResources"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55658",
"datePublished": "2024-12-11T22:47:21.809Z",
"dateReserved": "2024-12-10T14:48:24.296Z",
"dateUpdated": "2024-12-12T16:30:20.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55657 (GCVE-0-2024-55657)
Vulnerability from cvelistv5 – Published: 2024-12-11 22:44 – Updated: 2024-12-12 16:30
VLAI?
Title
SiYuan has an arbitrary file read via /api/template/render
Summary
SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's `/api/template/render` endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Version 3.1.16 contains a patch for the issue.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.1.16
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T16:30:43.853223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T16:30:52.826Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan\u0027s `/api/template/render` endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Version 3.1.16 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T22:44:17.868Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xx68-37v4-4596",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xx68-37v4-4596"
},
{
"name": "https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71"
}
],
"source": {
"advisory": "GHSA-xx68-37v4-4596",
"discovery": "UNKNOWN"
},
"title": "SiYuan has an arbitrary file read via /api/template/render"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55657",
"datePublished": "2024-12-11T22:44:17.868Z",
"dateReserved": "2024-12-10T14:48:24.296Z",
"dateUpdated": "2024-12-12T16:30:52.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}