github.com/siyuan-note/siyuan/kernel
Go23 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/siyuan-note/siyuan/kernelpage 1 of 1
- CVE-2024-55657HIGHCVSS 7.5EG 7.52024-12-12
SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's `/api/template/render` endpoint. The absence of proper validation on the path parameter allows attackers to …
- CVE-2024-55658HIGHCVSS 7.5EG 7.52024-12-12
SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and…
- CVE-2024-55659MEDIUMCVSS 5.4EG 5.42024-12-12
SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.…
- CVE-2024-55660CRITICALCVSS 9.8EG 9.82024-12-12
SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limi…
- CVE-2025-21609CRITICALCVSS 9.1EG 9.12025-01-03
SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attac…
- CVE-2026-23850HIGHCVSS 7.5EG 7.5✓ Fixed in 0.0.0-20260118092326-b2274baba2e12026-01-19
SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue.
- CVE-2026-34448CRITICALCVSS 9.0EG 9.0✓ Fixed in 3.6.22026-03-31
SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigger stored XSS when a victim opens the Gallery or Kanban view with “Cover From -…
- CVE-2026-34449CRITICALCVSS 9.6EG 9.6✓ Fixed in 3.6.22026-03-31
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + …
- CVE-2026-34453HIGHCVSS 7.5EG 7.5✓ Fixed in 3.6.22026-03-31
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark fil…
- CVE-2026-34585HIGHCVSS 8.6EG 8.6✓ Fixed in 0.0.0-20260329142331-918d1bd9f9672026-03-31
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker …
- CVE-2026-34605MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.0.0-20260330031106-f09953afc57a2026-03-31
SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using…
- CVE-2026-39846CRITICALCVSS 9.0EG 9.0✓ Fixed in 0.0.0-20260407035653-2f416e5253f12026-04-07
SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored witho…
- CVE-2026-40107MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.0.0-20260407035653-2f416e5253f12026-04-09
SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, <img> tags with src attributes survive Mermaid's internal DOMPurify and land in …
- CVE-2026-40259HIGHCVSS 8.1EG 8.1✓ Fixed in 0.0.0-20260407035653-2f416e5253f12026-04-16
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The hand…
- CVE-2026-40318HIGHCVSS 8.5EG 8.5✓ Fixed in 3.6.40.0.0-20260407035653-2f416e5253f12026-04-16
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path bound…
- CVE-2026-40922MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.0.0-20260414013942-62eed37a32632026-04-17
SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for CVE-2026-33066) enabled the Lute HTML sanitizer, but the sanitizer does not …
- CVE-2026-41894HIGHCVSS 7.1EG 7.1✓ Fixed in 3.6.52026-04-24
SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address the root cause — a redundant url.PathUnescape() call in serveExpo…
- CVE-2026-44588CRITICALCVSS 9.4EG 9.42026-05-14
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, he tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to message…
- CVE-2026-44670CRITICALCVSS 9.4EG 9.4✓ Fixed in 0.0.0-20260512140701-d7b77d945e0d2026-05-14
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName)…
- CVE-2026-45147MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.0.0-20260512140701-d7b77d945e0d2026-05-14
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, POST /api/tag/getTag is registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly, despite the handler performing a confi…
- CVE-2026-45148MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.0.0-20260512140701-d7b77d945e0d2026-05-14
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, broken access control in the searchAsset, searchTag, searchWidget, and searchTemplate publish-mode Readers can enumerate metadata from documents that are invisi…
- CVE-2026-45371HIGHCVSS 7.2EG 7.2✓ Fixed in 0.0.0-20260512140701-d7b77d945e0d2026-05-14
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInte…
- CVE-2026-45375CRITICALCVSS 9.0EG 9.02026-05-14
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's plugin.json (and the equivalent theme.json / template.json / widget.j…
Check whether github.com/siyuan-note/siyuan/kernel is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/siyuan-note/siyuan/kernel CVEs against the assets you own.
Start Free Scan →