Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

SiYuan — Vulnerabilities & Security Advisories 60

All 60 CVE vulnerabilities found in SiYuan, with AI-generated Chinese analysis, references, and POCs.

This is a vulnerability aggregation page for SiYuan, a self-hosted note-taking platform, covering Common Weakness Enumeration (CWE) related security issues. The page collects reported vulnerabilities affecting the SiYuan application, including issues related to cross-site scripting, authentication bypasses, and arbitrary file read access, with data covering security advisories released from 2021 through the present. By providing a centralized view of these security events, the resource allows security professionals and users to effectively track the vendor’s response timeline and advisory history for specific versions. It also enables analysts to understand the prevalence and nature of specific weakness classes within the codebase over time, facilitating better risk assessment for deployment environments. Furthermore, users can look up the complete vulnerability history of the product to determine patch availability and the stability of their current installation. This comprehensive overview supports informed decision-making regarding updates and security configurations without requiring manual searches across multiple bulletin sources. The information presented is aggregated from official vendor notifications and reputable security databases, ensuring accuracy and relevance for those managing SiYuan instances. This page serves as a critical reference point for evaluating the security posture of the software ecosystem surrounding SiYuan.

Vendor: SiYuan

CVE IDTitleCVSSSeverityPublished
CVE-2026-32815 SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure CWE-287 9.1 -2026-03-19
CVE-2026-32750 SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes CWE-22 6.8 Medium2026-03-19
CVE-2026-32751 SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface CWE-79 5.4 -2026-03-19
CVE-2026-32749 SiYuan importSY/importZipMd: Path Traversal via multipart filename enables arbitrary file write CWE-73 7.6 High2026-03-19
CVE-2026-32747 SiYuan: Incomplete sensitive path blocklist in globalCopyFiles allows reading /proc and Docker secrets CWE-22 6.8 Medium2026-03-19
CVE-2026-32704 SiYuan renderSprig: missing admin check allows any user to read full workspace DB CWE-285 6.5 Medium2026-03-13
CVE-2026-32110 SiYuan has a Full-Read SSRF via /api/network/forwardProxy CWE-918 8.3 High2026-03-11
CVE-2026-31809 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS CWE-79 5.4AIMediumAI2026-03-10
CVE-2026-31807 SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS CWE-79 6.1AIMediumAI2026-03-10
CVE-2026-30869 SiYuan has a Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage CWE-22 9.3 Critical2026-03-09
CVE-2026-30926 SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content CWE-284 7.1 High2026-03-09
CVE-2026-29183 SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution CWE-79 9.3 Critical2026-03-06
CVE-2026-29073 SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access CWE-862 8.8 -2026-03-06
CVE-2026-25992 SiYuan has a File Read Interface Case Bypass Vulnerability CWE-22 7.5 High2026-02-10
CVE-2026-25647 Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink CWE-79 4.6 Medium2026-02-06
CVE-2026-25539 SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE CWE-22 9.1 Critical2026-02-04
CVE-2026-23852 SiYuan vulnerable to Stored XSS / RCE via `setBlockAttrs` icon attribute CWE-94 8.2AIHighAI2026-01-19
CVE-2026-23851 SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality CWE-22 8.1AIHighAI2026-01-19
CVE-2026-23850 SiYuan vulnerable to arbitrary file read CWE-22 6.5AIMediumAI2026-01-19
CVE-2026-23847 SiYuan Vulnerable to Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon CWE-79 6.1AIMediumAI2026-01-19
CVE-2026-23645 SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload CWE-79 5.4 -2026-01-16
CVE-2025-68948 SiYuan: Information Disclosure and Authentication Bypass via Hardcoded Session Secret CWE-321 8.4 -2025-12-27
CVE-2025-67488 SiYuan: ZipSlip -> Arbitrary File Overwrite -> RCE CWE-22 7.8 High2025-12-09
CVE-2025-21609 SiYuan has an arbitrary file deletion vulnerability CWE-459 8.1 -2025-01-03
CVE-2024-55660 SiYuan has an SSTI via /api/template/renderSprig CWE-1336 6.5 -2024-12-11
CVE-2024-55659 SiYuan has an arbitrary file write in the host via /api/asset/upload CWE-22 5.4 -2024-12-11
CVE-2024-55658 SiYuan has an arbitrary file read and path traversal via /api/export/exportResources CWE-22 6.5 -2024-12-11
CVE-2024-55657 SiYuan has an arbitrary file read via /api/template/render CWE-22 6.5 -2024-12-11
CVE-2024-6938 SiYuan PDF PDF.js cross site scripting CWE-79 3.5 Low2024-07-21
CVE-2024-2692 SiYuan 3.0.3 - RCE via Server Side XSS CWE-79 9.0 Critical2024-04-04

All 60 known CVE vulnerabilities affecting SiYuan with full Chinese analysis, references, and POCs where available.