Siyuan-note Siyuan
58 CVEs affecting Siyuan-note Siyuan. Latest disclosed: 2026-05-14. Critical: 13, High: 14.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-32938 | Critical | 9.9 | 2026-03-20 | SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file… |
CVE-2026-33670 | Critical | 9.8 | 2026-03-26 | SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of a… |
CVE-2026-33669 | Critical | 9.8 | 2026-03-26 | SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/bl… |
CVE-2026-32767 | Critical | 9.8 | 2026-03-20 | SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock… |
CVE-2026-34449 | Critical | 9.7 | 2026-03-31 | SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running Si… |
CVE-2026-32940 | Critical | 9.3 | 2026-03-20 | SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:imag… |
CVE-2026-30869 | Critical | 9.3 | 2026-03-09 | SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary… |
CVE-2026-29183 | Critical | 9.3 | 2026-03-06 | SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoin… |
CVE-2026-40322 | Critical | 9.1 | 2026-04-16 | SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", an… |
CVE-2026-39846 | Critical | 9.1 | 2026-04-07 | SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Elect… |
CVE-2026-34448 | Critical | 9.1 | 2026-03-31 | SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigge… |
CVE-2026-25539 | Critical | 9.1 | 2026-02-04 | SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authen… |
CVE-2026-45375 | Critical | 9.0 | 2026-05-14 | SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a… |
CVE-2026-41421 | High | 8.8 | 2026-04-24 | SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron rend… |
CVE-2026-34585 | High | 8.6 | 2026-03-31 | SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute… |
CVE-2026-40318 | High | 8.5 | 2026-04-16 | SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesys… |
CVE-2026-44586 | High | 8.3 | 2026-05-14 | SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from th… |
CVE-2026-32110 | High | 8.3 | 2026-03-11 | SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requ… |
CVE-2026-40259 | High | 8.1 | 2026-04-16 | SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by… |
CVE-2025-67488 | High | 7.8 | 2025-12-09 | SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain function importZipMd wh… |