B3log Siyuan

55 CVEs affecting B3log Siyuan. Latest disclosed: 2026-04-17. Critical: 23, High: 17.

Top CVEs affecting B3log Siyuan
CVESeverityScorePublishedSummary
CVE-2026-32938Critical9.92026-03-20SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file…
CVE-2026-33670Critical9.82026-03-26SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of a…
CVE-2026-33669Critical9.82026-03-26SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/bl…
CVE-2026-32767Critical9.82026-03-20SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock…
CVE-2024-55660Critical9.82024-12-12SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template…
CVE-2024-53507Critical9.82024-11-29A SQL injection vulnerability was discovered in Siyuan 3.1.11 in /getHistoryItems.
CVE-2024-53506Critical9.82024-11-29A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /batchGetBlockAttrs.
CVE-2024-53505Critical9.82024-11-29A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the id parameter at /getAssetContent.
CVE-2024-53504Critical9.82024-11-29A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /searchHistory.
CVE-2026-34449Critical9.62026-03-31SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running Si…
CVE-2026-23852Critical9.62026-01-19SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inj…
CVE-2026-32940Critical9.32026-03-20SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:imag…
CVE-2026-30869Critical9.32026-03-10SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary…
CVE-2026-29183Critical9.32026-03-06SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoin…
CVE-2026-25539Critical9.12026-02-04SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authen…
CVE-2025-21609Critical9.12025-01-03SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnera…
CVE-2026-40322Critical9.02026-04-16SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", an…
CVE-2026-39846Critical9.02026-04-07SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Elect…
CVE-2026-34448Critical9.02026-03-31SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigge…
CVE-2026-33067Critical9.02026-03-20SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals wi…