cbcvebase.

B3Log Siyuan vulnerabilities

55 known vulnerabilities affecting b3log/siyuan.

Total CVEs
55
CISA KEV
0
Public exploits
6
Exploited in wild
0
Severity breakdown
CRITICAL18HIGH19MEDIUM18

Vulnerabilities

Page 3 of 3
CVE-2026-34585P3HIGHCVSS 8.2fixed in 3.6.22026-03-31
CVE-2026-34585 [HIGH] CWE-79 CVE-2026-34585: SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows cra SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it throu
nvd
CVE-2026-23851P3MEDIUMCVSS 6.5fixed in 3.5.42026-01-19
CVE-2026-23851 [MEDIUM] CWE-22 CVE-2026-23851: SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerabil SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation. The vulnerability exists in the api/file.
nvd
CVE-2026-32704P3MEDIUMCVSS 6.5fixed in 3.6.12026-03-16
CVE-2026-32704 [MEDIUM] CWE-285 CVE-2026-32704: SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lac SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. This vulnerability is fixed in 3.6.1.
nvd
CVE-2026-32750P3MEDIUMCVSS 6.8fixed in 3.6.12026-03-19
CVE-2026-32750 [MEDIUM] CWE-22 CVE-2026-32750: SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/impo SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace databa
nvd
CVE-2026-32938P3MEDIUMCVSS 6.5fixed in 3.6.12026-03-20
CVE-2026-32938 [MEDIUM] CWE-22 CVE-2026-32938: SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2Bl SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publi
nvd
CVE-2026-33194P3MEDIUMCVSS 6.8fixed in 3.6.22026-03-20
CVE-2026-33194 [MEDIUM] CWE-22 CVE-2026-33194: SiYuan is a personal knowledge management system. Prior to version 3.6.2, the `IsSensitivePath()` fu SiYuan is a personal knowledge management system. Prior to version 3.6.2, the `IsSensitivePath()` function in `kernel/util/path.go` uses a denylist approach that was recently expanded (GHSA-h5vh-m7fg-w5h6, commit 9914fd1) but remains incomplete. Multiple security-relevant Linux directories are not blocked, including `/opt` (application data), `/usr`
nvd
CVE-2026-40107P3MEDIUMCVSS 6.5fixed in 3.6.42026-04-09
CVE-2026-40107 [MEDIUM] CWE-918 CVE-2026-40107: SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, tags with src attributes survive Mermaid's internal DOMPurify and land in SVG blocks. The SVG is injected via innerHTML with no secondary sanitization. When a victim opens a note containing a m
nvd
CVE-2026-32940P4MEDIUMCVSS 6.1fixed in 3.6.12026-03-20
CVE-2026-32940 [MEDIUM] CVE-2026-32940: SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an in SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScript execution. The unauthenticated /api/icon/getDynamicIcon endpoint serves use
nvd
CVE-2026-32747P4MEDIUMCVSS 4.9fixed in 3.6.12026-03-19
CVE-2026-32747 [MEDIUM] CWE-22 CVE-2026-32747: SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles A SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles API eads source files using filepath.Abs() with no workspace boundary check, relying solely on util.IsSensitivePath() whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin can copy /proc/1/environ or Docker secrets into the
nvd
CVE-2024-55659P4MEDIUMCVSS 5.4v3.1.152024-12-12
CVE-2024-55659 [MEDIUM] CWE-22 CVE-2024-55659: SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` e SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue.
nvd
CVE-2026-40922P4MEDIUMCVSS 5.4≥ 3.6.1, < 3.6.42026-04-17
CVE-2026-40922 [MEDIUM] CVE-2026-40922: SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a pr SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for CVE-2026-33066) enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not effectively filter srcdoc attributes which contain raw HTML rat
nvd
CVE-2024-6938P4MEDIUMCVSS 5.4v3.1.02024-07-21
CVE-2024-6938 [MEDIUM] CWE-79 CVE-2024-6938: A vulnerability has been found in SiYuan 3.1.0 and classified as problematic. Affected by this vulne A vulnerability has been found in SiYuan 3.1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file PDF.js of the component PDF Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-27
nvd
CVE-2026-23847P4MEDIUMCVSS 6.1fixed in 3.5.42026-01-19
CVE-2026-23847 [MEDIUM] CWE-79 CVE-2026-23847: SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflecte SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG tag without XML escaping. Since the response Conte
nvd
CVE-2026-23645P4MEDIUMCVSS 6.1fixed in 3.5.4v3.5.42026-01-16
CVE-2026-23645 [MEDIUM] CWE-79 CVE-2026-23645: SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a St SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed
nvd
CVE-2026-25647P4MEDIUMCVSS 5.4v3.5.42026-02-06
CVE-2026-25647 [MEDIUM] CWE-79 CVE-2026-25647: Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used i Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the co
nvd
B3Log Siyuan vulnerabilities | cvebase