Home/Product/b3log siyuan
Product

b3log siyuan

55 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-40922
>= 3.6.1 and < 3.6.4
SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar READ
5.4MEDIUM
 CVE-2026-40322
< 3.6.4
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with sec
9.0CRITICAL
 CVE-2026-40318
< 3.6.4
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView
8.5HIGH
 CVE-2026-40259
< 3.6.4
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView
8.1HIGH
 CVE-2026-40107
< 3.6.4
SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htm
6.5MEDIUM
 CVE-2026-39846
< 3.6.4
SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code
9.0CRITICAL
 CVE-2026-34605
>= 3.6.0 and < 3.6.2
SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced
6.1MEDIUM
 CVE-2026-34585
< 3.6.2
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to
8.6HIGH
 CVE-2026-34453
< 3.6.2
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from passw
7.5HIGH
 CVE-2026-34449
< 3.6.2
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (R
9.6CRITICAL
 CVE-2026-34448
< 3.6.2
SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribut
9.0CRITICAL
 CVE-2026-33670
< 3.6.2
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and
9.8CRITICAL
 CVE-2026-33669
< 3.6.2
SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir in
9.8CRITICAL
 CVE-2026-33476
< 3.6.2
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-servin
7.5HIGH
 CVE-2026-33203
< 3.6.2
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticat
7.5HIGH
 CVE-2026-33194
< 3.6.2
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the IsSensitivePath() function in `kernel/util/path.go
6.8MEDIUM
 CVE-2026-33067
< 3.6.1
SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, descriptio
9.0CRITICAL
 CVE-2026-33066
< 3.6.1
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() w
9.0CRITICAL
 CVE-2026-32940
< 3.6.1
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist, it blocks
9.3CRITICAL
 CVE-2026-32938
< 3.6.1
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies l
9.9CRITICAL
 CVE-2026-32767
< 3.6.1
SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /a
9.8CRITICAL
 CVE-2026-32815
< 3.6.1
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated
7.5HIGH
 CVE-2026-32751
< 3.6.1
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders noteb
9.0CRITICAL
 CVE-2026-32750
< 3.6.1
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath p
6.8MEDIUM
 CVE-2026-32749
< 3.6.1
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/impo
7.6HIGH
 CVE-2026-32747
< 3.6.1
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles API eads source files using fi
6.8MEDIUM
 CVE-2026-32704
< 3.6.1
SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allow
6.5MEDIUM
 CVE-2026-32110
< 3.6.0
SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated user
8.3HIGH
 CVE-2026-31809
< 3.5.10
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for
6.1MEDIUM
 CVE-2026-31807
< 3.5.10
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements
6.1MEDIUM
 CVE-2026-30869
< 3.5.10
SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows a
9.3CRITICAL
 CVE-2026-30926
< 3.5.10
SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish serv
7.1HIGH
 CVE-2026-29183
< 3.5.9
SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in
9.3CRITICAL
 CVE-2026-29073
<= 3.5.9
SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it
8.8HIGH
 CVE-2026-25992
< 3.5.5
SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equali
7.5HIGH
 CVE-2026-25647
all versions
Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored
4.6MEDIUM
 CVE-2026-25539
<= 3.5.3
SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the de
9.1CRITICAL
 CVE-2026-23852
< 3.5.4
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability t
9.6CRITICAL
 CVE-2026-23851
< 3.5.4
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCop
6.5MEDIUM
 CVE-2026-23850
< 3.5.4
SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side
7.5HIGH
 CVE-2026-23847
< 3.5.4
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api
6.1MEDIUM
 CVE-2026-23645
< 3.5.4
SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS
6.1MEDIUM
 CVE-2025-68948
< 3.5.2
SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note applicatio
8.1HIGH
 CVE-2025-67488
< 3.5.0
SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below co
7.8HIGH
 CVE-2025-21609
all versions
SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deleti
9.1CRITICAL
 CVE-2024-55660
all versions
SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/template/renderSprig endpoint is vulner
9.8CRITICAL
 CVE-2024-55659
all versions
SiYuan is a personal knowledge management system. Prior to version 3.1.16, the /api/asset/upload endpoint in Siyuan is vulnerabl
5.4MEDIUM
 CVE-2024-55658
all versions
SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulner
7.5HIGH
 CVE-2024-55657
all versions
SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's
7.5HIGH
 CVE-2024-53507
all versions
A SQL injection vulnerability was discovered in Siyuan 3.1.11 in /getHistoryItems.
9.8CRITICAL
 CVE-2024-53506
all versions
A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /batchGetBlockAttrs.
9.8CRITICAL
 CVE-2024-53505
all versions
A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the id parameter at /getAssetContent.
9.8CRITICAL
 CVE-2024-53504
all versions
A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /searchHistory.
9.8CRITICAL
 CVE-2024-6938
all versions
A vulnerability has been found in SiYuan 3.1.0 and classified as problematic. Affected by this vulnerability is an unknown functio
3.5LOW
 CVE-2024-2692
all versions
SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to
9.0CRITICAL
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin