cbcvebase.

B3Log Siyuan vulnerabilities

55 known vulnerabilities affecting b3log/siyuan.

Total CVEs
55
CISA KEV
0
Public exploits
6
Exploited in wild
0
Severity breakdown
CRITICAL18HIGH19MEDIUM18

Vulnerabilities

Page 1 of 3
CVE-2026-33476P2HIGHCVSS 7.5PoCfixed in 3.6.22026-03-20
CVE-2026-33476 [HIGH] CWE-22 CVE-2026-33476: SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this e
nvd
CVE-2026-34453P2HIGHCVSS 7.5PoCfixed in 3.6.22026-03-31
CVE-2026-34453 [HIGH] CWE-863 CVE-2026-34453: SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service expose SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as
nvd
CVE-2026-30869P2CRITICALCVSS 9.8fixed in 3.5.102026-03-10
CVE-2026-30869 [CRITICAL] CWE-22 CVE-2026-30869: SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double‑encoded traversal sequences, an attacker can access sensitive files such as conf/conf.json, which contains secrets including the API tok
nvd
CVE-2026-32767P2CRITICALCVSS 9.8fixed in 3.6.12026-03-20
CVE-2026-32767 [CRITICAL] CWE-89 CVE-2026-32767: SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-on
nvd
CVE-2026-29183P3MEDIUMCVSS 6.1PoCfixed in 3.5.92026-03-06
CVE-2026-29183 [MEDIUM] CWE-79 CVE-2026-29183: SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflect SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a craf
nvd
CVE-2026-34449P2CRITICALCVSS 9.6fixed in 3.6.22026-03-31
CVE-2026-34449 [CRITICAL] CWE-942 CVE-2026-34449: SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can ac SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) to inject a JavaScript snippet via the API. The injected snippet e
nvd
CVE-2026-31809P3MEDIUMCVSS 6.1PoCfixed in 3.5.102026-03-10
CVE-2026-31809 [MEDIUM] CVE-2026-31809: SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeS SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting ASCII tab ( ), newline ( ), or carriage return ( ) characters inside the javascript: string bypasses this prefix check. Browsers strip these characters per the
nvd
CVE-2026-34605P3MEDIUMCVSS 6.1PoC≥ 3.6.0, < 3.6.22026-03-31
CVE-2026-34605 [MEDIUM] CWE-79 CVE-2026-34605: SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the Sa SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such as . The Go HTML5 parser records the element's tag as "x:script" rather th
nvd
CVE-2026-31807P3MEDIUMCVSS 6.1PoCfixed in 3.5.102026-03-10
CVE-2026-31807 [MEDIUM] CVE-2026-31807: SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeS SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (, , ) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements (, ) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitizati
nvd
CVE-2025-67488P3HIGHCVSS 8.8fixed in 3.5.02025-12-09
CVE-2025-67488 [HIGH] CWE-22 CVE-2025-67488: SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-2025120212 SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain function importZipMd which is vulnerable to ZipSlips, allowing an authenticated user to overwrite files on the system. An authenticated user with access to the import functionality in notes is able to overwrite any fil
nvd
CVE-2024-55660P3CRITICALCVSS 9.8v3.1.152024-12-12
CVE-2024-55660 [CRITICAL] CWE-1336 CVE-2024-55660: SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/r SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables. Version 3.1.16 contains a patch for the issue.
nvd
CVE-2025-21609P3CRITICALCVSS 9.1v3.1.182025-01-03
CVE-2025-21609 [CRITICAL] CWE-459 CVE-2025-21609: SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.1 SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the ser
nvd
CVE-2024-53504P3CRITICALCVSS 9.8v3.1.112024-11-29
CVE-2024-53504 [CRITICAL] CWE-89 CVE-2024-53504: A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /se A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /searchHistory.
nvd
CVE-2026-32751P3CRITICALCVSS 9.0fixed in 3.6.12026-03-19
CVE-2026-32751 [CRITICAL] CWE-79 CVE-2026-32751: SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same operation. An authenticated user who can rename noteboo
nvd
CVE-2026-33066P3CRITICALCVSS 9.0fixed in 3.6.12026-03-20
CVE-2026-33066 [CRITICAL] CWE-79 CVE-2026-33066: SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREA SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package autho
nvd
CVE-2024-53506P3CRITICALCVSS 9.8v3.1.112024-11-29
CVE-2024-53506 [CRITICAL] CWE-89 CVE-2024-53506: A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /b A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /batchGetBlockAttrs.
nvd
CVE-2026-39846P3CRITICALCVSS 9.0fixed in 3.6.42026-04-07
CVE-2026-39846 [CRITICAL] CWE-79 CVE-2026-39846: SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop render
nvd
CVE-2026-29073P3HIGHCVSS 8.8≤ 3.5.92026-03-06
CVE-2026-29073 [HIGH] CWE-89 CVE-2026-29073: SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.
nvd
CVE-2026-32110P3HIGHCVSS 8.3fixed in 3.6.02026-03-11
CVE-2026-32110 [HIGH] CWE-918 CVE-2026-32110: SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endp SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to in
nvd
CVE-2026-40318P3HIGHCVSS 8.5fixed in 3.6.42026-04-16
CVE-2026-40318 [HIGH] CWE-24 CVE-2026-40318: SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intend
nvd
B3Log Siyuan vulnerabilities | cvebase