cbcvebase.

Github.Com Siyuan-Note Siyuan Kernel vulnerabilities

47 known vulnerabilities affecting github.com/siyuan-note_siyuan_kernel.

Total CVEs
47
CISA KEV
0
Public exploits
6
Exploited in wild
0
Severity breakdown
CRITICAL12HIGH20MEDIUM14LOW1

Vulnerabilities

Page 2 of 3
CVE-2026-25539P3CRITICAL≥ 0, ≤ 0.0.0-20260126094835-d5d10dd41b0c2026-01-29
CVE-2026-25539 [CRITICAL] CWE-22 SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE ## Summary The `/api/file/copyFile` endpoint does not validate the `dest` parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. - Af
ghsaosv
CVE-2026-34448P3CRITICAL≥ 0, < 3.6.22026-03-31
CVE-2026-34448 [CRITICAL] CWE-79 SiYuan: Stored XSS in Attribute View Gallery/Kanban Cover Rendering Allows Arbitrary Command Execution in Desktop Client SiYuan: Stored XSS in Attribute View Gallery/Kanban Cover Rendering Allows Arbitrary Command Execution in Desktop Client ### Summary An attacker who can place a malicious URL in an Attribute View `mAsse` field can trigger stored XSS when a victim opens the Gallery or Kanban view with “Cover From -> Asset Field” enabled. The vulnerable code acc
ghsaosv
CVE-2026-40259P3HIGH≥ 0, < 0.0.0-20260407035653-2f416e5253f12026-04-10
CVE-2026-40259 [HIGH] CWE-285 SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView` SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView` ## Summary An authenticated publish-service reader can invoke `/api/av/removeUnusedAttributeView` and cause persistent deletion of arbitrary attribute view (`AV`) definition files from the workspace. The route is protected only by generic `CheckAuth`, w
ghsa
CVE-2026-33670P3CRITICAL≥ 0, ≤ 0.0.0-20260317012524-fe4523fff2c82026-03-25
CVE-2026-33670 [CRITICAL] CWE-22 SiYuan has directory traversal within its publishing service SiYuan has directory traversal within its publishing service ### Details The /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook. ### PoC ```python #!/usr/bin/env python3 """POC: SiYuan /api/file/readDir 未鉴权目录遍历""" import requests, json, sys def poc(target): base = target.rstrip("/") url = f"{base}/api/file/readDir" def read_dir(path, dept
ghsaosv
CVE-2026-23850P3HIGH≥ 0, < 0.0.0-20260118092326-b2274baba2e12026-01-21
CVE-2026-23850 [HIGH] CWE-22 SiYuan vulnerable to Arbitrary file Read / SSRF SiYuan vulnerable to Arbitrary file Read / SSRF ### Summary Markdown feature allows unrestricted server side html-rendering which allows arbitary file read (LFD) and fully SSRF access We in @0xL4ugh ( @abdoghazy2015, @xtromera, @A-z4ki, @ZeyadZonkorany and @KarimTantawey) During playing Null CTF 2025 that helps us solved a challenge with unintended way : ) Please note that we used the latest Version and deployed it vi
ghsaosv
CVE-2026-44670P3CRITICAL≥ 0, ≤ 0.0.0-20260421031503-96dfe0bea4742026-05-08
CVE-2026-44670 [CRITICAL] CWE-1188 SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE ## Summary The kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw `strings.ReplaceAll(tpl, "${avName}", nodeAvName)` to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (`render.ts:120` → `outerHTML
ghsa
CVE-2026-45375P3CRITICAL≥ 0, ≤ 0.0.0-20260421031503-96dfe0bea4742026-05-13
CVE-2026-45375 [CRITICAL] CWE-116 SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution ### Summary SiYuan's Bazaar (community marketplace) renders the `name` and `version` fields of a package's `plugin.json` (and the equivalent `theme.json` / `template.json` / `widget.json` / `icon.json`)
ghsa
CVE-2024-55658P3HIGH≥ 0, ≤ 0.0.0-20241210012039-5129ad926a212024-12-11
CVE-2024-55658 [HIGH] CWE-22 SiYuan has an arbitrary file read and path traversal via /api/export/exportResources SiYuan has an arbitrary file read and path traversal via /api/export/exportResources ### Summary Siyuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure. ### Impact Arbitrary File
ghsaosv
CVE-2026-33669P3CRITICAL≥ 0, ≤ 0.0.0-20260317012524-fe4523fff2c82026-03-25
CVE-2026-33669 [CRITICAL] CWE-125 SiYuan has Arbitrary Document Reading within the Publishing Service SiYuan has Arbitrary Document Reading within the Publishing Service ### Details Document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. ### PoC ```python #!/usr/bin/env python3 """SiYuan /api/block/getChildBlocks 文档内容读取""" import requests import json import sys def get_child_blocks(targe
ghsaosv
CVE-2026-25992P3HIGH≥ 0, ≤ 0.0.0-20260126094835-d5d10dd41b0c2026-01-28
CVE-2026-25992 [HIGH] CWE-178 SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal # File Read Interface Case Bypass Vulnerability ## Vulnerability Name File Read Interface Case Bypass Vulnerability ## Overview The `/api/file/getFile` endpoint uses **case-sensitive string equality checks** to block access to sensitive files. On case-insensitive file systems such as **Windows**, attackers can bypass restr
ghsaosv
CVE-2024-55657P3HIGH≥ 0, ≤ 0.0.0-20241210012039-5129ad926a212024-12-11
CVE-2024-55657 [HIGH] CWE-22 SiYuan has an arbitrary file read via /api/template/render SiYuan has an arbitrary file read via /api/template/render ### Summary An arbitrary file read vulnerability exists in Siyuan's /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. ### Impact Arbitrary file read on the host
ghsaosv
CVE-2026-33203P3HIGH≥ 0, < 3.6.22026-03-18
CVE-2026-33203 [HIGH] CWE-248 SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass ## Summary The SiYuan kernel WebSocket server accepts unauthenticated connections when a specific “auth keepalive” query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, p
ghsaosv
CVE-2026-45371P3HIGH≥ 0, < 0.0.0-20260512140701-d7b77d945e0d2026-05-13
CVE-2026-45371 [HIGH] CWE-285 SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs ### Summary SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs `POST /api/graph/getGraph`, `POST /api/graph/getLocalGraph`, `POST /api/sync/setSyncInterval`, `POST /api/storage/updateRecentDocViewTime`, `POST /api/storage/updateRecentDocCloseTime`, `POST /api/storage/updateRecentDocOpenTim
ghsa
CVE-2026-32815P3MEDIUM≥ 0, ≤ 0.0.0-20260313024916-fd6526133bb32026-03-16
CVE-2026-32815 [MEDIUM] CWE-287 SiYuan Vulnerable to Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure SiYuan Vulnerable to Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure # Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure ## Summary SiYuan's WebSocket endpoint (`/ws`) allows unauthenticated connections when specific URL parameters are provid
ghsaosv
CVE-2026-30926P3HIGH≥ 0, ≤ 0.0.0-20260304035530-d03ebdec82792026-03-09
CVE-2026-30926 [HIGH] CWE-284 SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren ### Summary A privilege escalation vulnerability exists in the publish service of SiYuan Note that allows a low-privilege publish account (RoleReader) to modify notebook content via the `/api/block/appendHeadingChil
ghsaosv
CVE-2026-34585P3HIGH≥ 0, < 0.0.0-20260329142331-918d1bd9f9672026-04-01
CVE-2026-34585 [HIGH] CWE-79 SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command execution SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command execution ### Summary A vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a `.sy` document, package it as a `.sy.zip`, and have the victim impor
ghsaosv
CVE-2026-23851P3HIGH≥ 0, < 0.0.0-20260118092521-f8f4b517077b2026-01-21
CVE-2026-23851 [HIGH] CWE-22 SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality ### Summary The SiYuan Note application (v3.5.3) contains a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation ### Details The vulnerability exists in the ap
ghsaosv
CVE-2026-32704P3MEDIUM≥ 0, < 3.6.12026-03-13
CVE-2026-32704 [MEDIUM] CWE-285 SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB ### Summary `POST /api/template/renderSprig` lacks `model.CheckAdminRole`, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. ### Details **File:** `kernel/api/
ghsaosv
CVE-2026-32938P3CRITICAL≥ 0, ≤ 0.0.0-20260313024916-fd6526133bb32026-03-17
CVE-2026-32938 [CRITICAL] CWE-200 SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service ### Summary In SiYuan, `/api/lute/html2BlockDOM` on the desktop copies local files pointed to by `file://` links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with `GET /assets/*path`, which only requires authentication, a publish-service visitor can cause t
ghsaosv
CVE-2026-33194P3MEDIUM≥ 0, < 3.6.22026-03-18
CVE-2026-33194 [MEDIUM] CWE-22 SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home (GHSA-h5vh-m7fg-w5h6 Bypass) SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home (GHSA-h5vh-m7fg-w5h6 Bypass) ## Summary The `IsSensitivePath()` function in `kernel/util/path.go` uses a denylist approach that was recently expanded (GHSA-h5vh-m7fg-w5h6, commit 9914fd1) but remains incomplete. Multiple security-relevant Lin
ghsaosv
Github.Com Siyuan-Note Siyuan Kernel vulnerabilities | cvebase