cbcvebase.

Github.Com Siyuan-Note Siyuan Kernel vulnerabilities

47 known vulnerabilities affecting github.com/siyuan-note_siyuan_kernel.

Total CVEs
47
CISA KEV
0
Public exploits
6
Exploited in wild
0
Severity breakdown
CRITICAL12HIGH20MEDIUM14LOW1

Vulnerabilities

Page 1 of 3
CVE-2026-33476P2HIGHPoC≥ 0, ≤ 0.0.0-20260317012524-fe4523fff2c82026-03-20
CVE-2026-33476 [HIGH] CWE-22 Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal ## Summary The Siyuan kernel exposes an unauthenticated file-serving endpoint under **/appearance/*filepath.** Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation witho
ghsaosv
CVE-2026-34453P2HIGHPoC≥ 0, < 3.6.22026-03-31
CVE-2026-34453 [HIGH] CWE-863 SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark ### Summary The publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, `/api/bookmark/getBookmark` filters bookmark results by calling `FilterBlocksByPublishAccess(nil, ...)`. Because the filter treats a `n
ghsaosv
CVE-2026-30869P2CRITICALCVSS 9.8≥ 0, < 3.6.52026-04-22
CVE-2026-30869 [CRITICAL] CWE-22 SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869) SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869) ### Summary The fix for CVE-2026-30869 in SiYuan v3.5.10 only added a denylist check (`IsSensitivePath`) but did not address the root cause — a redundant `url.PathUnescape()` call in `serveExport()`. An authenticated attacker can use double
ghsaosv
CVE-2026-31809P3MEDIUMCVSS 6.1PoC≥ 0, < 0.0.0-20260310025236-297bd526708f2026-03-10
CVE-2026-31809 [MEDIUM] CWE-79 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS # SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS ## Summary SiYuan's SVG sanitizer (`SanitizeSVG`) checks `href` attributes for the `javascript:` prefix using `strings.HasPrefix()`. However, inserting ASCII tab (` `), newline (` `), or carriage retur
ghsaosv
CVE-2026-32767P2CRITICAL≥ 0, ≤ 0.0.0-20260313024916-fd6526133bb32026-03-16
CVE-2026-32767 [CRITICAL] CWE-863 SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API ## Summary SiYuan Note v3.6.0 (and likely prior versions) contains an authorization bypass vulnerability in the `/api/search/fullTextSearchBlock` endpoint. When the `method` parameter is set to `2`, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without a
ghsaosv
CVE-2026-29183P3CRITICALPoC≥ 0, < 0.0.0-20260304034809-d68bd5a793912026-03-04
CVE-2026-29183 [CRITICAL] CWE-79 SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint ### Summary An unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint: - `GET /api/icon/getDynamicIcon` When `type=8`, attacker-controlled `content` is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns `i
ghsaosv
CVE-2026-31807P3MEDIUMCVSS 6.1PoC≥ 0, < 0.0.0-20260310025236-297bd526708f2026-03-10
CVE-2026-31807 [MEDIUM] CWE-79 SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS SiYuan has a SVG Sanitizer Bypass via `` Element — Unauthenticated XSS # SVG Sanitizer Bypass via `` Element — Unauthenticated XSS ## Summary SiYuan's SVG sanitizer (`SanitizeSVG`) blocks dangerous elements (``, ``, ``) and removes `on*` event handlers and `javascript:` in `href` attributes. However, it does NOT block SVG animation elements (``, ``) which can dynamically set attribut
ghsaosv
CVE-2026-34449P2CRITICAL≥ 0, < 3.6.22026-03-31
CVE-2026-34449 [CRITICAL] CWE-942 SiYuan is Vulnerable to Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection SiYuan is Vulnerable to Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection ### Summary A malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (`Access-Control-Allow-Origin: *` + `Access-Control-Allow-Private-Network: true`) to inject a JavaScript snippet via th
ghsaosv
CVE-2026-34605P3HIGHPoC≥ 0, < 0.0.0-20260330031106-f09953afc57a2026-04-01
CVE-2026-34605 [HIGH] CWE-79 SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated) SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated) ### Summary The `SanitizeSVG` function introduced in v3.6.0 to fix XSS in the unauthenticated `/api/icon/getDynamicIcon` endpoint can be bypassed by using namespace-prefixed element names such as ``. The Go HTML5 parser records the eleme
ghsaosv
CVE-2026-33066P3MEDIUMCVSS 5.3≥ 0, < 0.0.0-20260414013942-62eed37a32632026-04-14
CVE-2026-33066 [MEDIUM] CWE-79 SiYuan has incomplete fix for CVE-2026-33066: XSS SiYuan has incomplete fix for CVE-2026-33066: XSS ### Summary The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block `` tags, allowing stored XSS via `srcdoc` attributes containing embedded scripts that execute in the Electron context. ### Affected Package - **Ecosystem:** Go - **Package:** github.com/siyuan-note/siyuan - **Affected versions:** = commit b382f50
ghsaosv
CVE-2025-67488P3HIGH≥ 0, ≤ 0.0.0-20251202123337-6ef83b42c7ce2025-12-09
CVE-2025-67488 [HIGH] CWE-22 SiYuan: ZipSlip -> Arbitrary File Overwrite -> RCE SiYuan: ZipSlip -> Arbitrary File Overwrite -> RCE ### Summary Function [**importZipMd**](https://github.com/siyuan-note/siyuan/blob/dae6158860cc704e353454565c96e874278c6f47/kernel/api/import.go#L190) is vulnerable to **ZipSlip** which allows an authenticated user to overwrite files on the system. ### Details An authenticated user with access to the import functionality in notes is able to overwrite any file on the
ghsaosv
CVE-2026-44588P3HIGHCVSS 8.2≥ 0, ≤ 0.0.0-20260421031503-96dfe0bea4742026-05-08
CVE-2026-44588 [HIGH] CWE-116 SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) ## Summary The tooltip mouseover handler in `app/src/block/popover.ts` reads `aria-label` via `getAttribute` and passes it through `decodeURIComponent` before assigning to `messageElement.innerHTML` in `app/src/dia
ghsa
CVE-2024-55660P3MEDIUM≥ 0, ≤ 0.0.0-20241210012039-5129ad926a212024-12-11
CVE-2024-55660 [MEDIUM] CWE-1336 SiYuan has an SSTI via /api/template/renderSprig SiYuan has an SSTI via /api/template/renderSprig ### Summary Siyuan's /api/template/renderSprig endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables ### Impact Information leakage
ghsaosv
CVE-2026-32751P3MEDIUM≥ 0, ≤ 0.0.0-20260313024916-fd6526133bb32026-03-16
CVE-2026-32751 [MEDIUM] CWE-79 SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface # Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface ## Summary SiYuan's mobile file tree (`MobileFiles.ts`) renders notebook names via `innerHTML` without HTML escaping when processing `renamenotebook` WebSocket events. The desktop version (`Files.ts`) pr
ghsaosv
CVE-2026-39846P3CRITICAL≥ 0, < 0.0.0-20260407035653-2f416e5253f12026-04-08
CVE-2026-39846 [CRITICAL] CWE-79 SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions ### Summary A malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS
ghsaosv
CVE-2026-29073P3MEDIUM≥ 0, ≤ 0.0.0-20260113130602-4ba64580c29c2026-03-03
CVE-2026-29073 [MEDIUM] CWE-862 SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access ### Summary /api/query/sql allows users to run SQL directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any SQL query on the database. ### Details The vulnerable endpoint is in kernel/api/sql.go ```go func SQL(c *gin
ghsaosv
CVE-2026-32110P3HIGH≥ 0, < 3.6.02026-03-12
CVE-2026-32110 [HIGH] CWE-918 SiYuan has a Full-Read SSRF via /api/network/forwardProxy SiYuan has a Full-Read SSRF via /api/network/forwardProxy ### Summary The `/api/network/forwardProxy` endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata servic
ghsaosv
CVE-2026-40318P3HIGH≥ 0, < 3.6.40.0.0-20260407035653-2f416e5253f12026-04-10
CVE-2026-40318 [HIGH] CWE-24 SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView` SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView` ## Summary The endpoint `/api/av/removeUnusedAttributeView` is vulnerable to a **path traversal (CWE-22)** that allows an attacker to delete arbitrary `.json` files on the server. The issue arises because user-controlled input (`id`) is directly used in filesystem path construction without validation or restricti
ghsa
CVE-2026-33067P3MEDIUM≥ 0, < 0.0.0-20260317012524-fe4523fff2c82026-03-18
CVE-2026-33067 [MEDIUM] CWE-79 SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata # Stored XSS to RCE via Unsanitized Bazaar Package Metadata ## Summary SiYuan's Bazaar (community marketplace) renders package metadata fields (`displayName`, `description`) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatic
ghsaosv
CVE-2026-32749P3HIGH≥ 0, ≤ 0.0.0-20260313024916-fd6526133bb32026-03-16
CVE-2026-32749 [HIGH] CWE-22 SiYuan importSY/importZipMd: path traversal via multipart filename enables arbitrary file write SiYuan importSY/importZipMd: path traversal via multipart filename enables arbitrary file write ### Summary POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations outside the temp directory - including system paths t
ghsaosv
Github.Com Siyuan-Note Siyuan Kernel vulnerabilities | cvebase