Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

siyuan-note — Vulnerabilities & Security Advisories 58

Browse all 58 CVE security advisories affecting siyuan-note. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Siyuan-note is a local-first, privacy-focused knowledge management application designed for note-taking and information organization. Despite its emphasis on data sovereignty, the software has accumulated 51 recorded Common Vulnerabilities and Exposures (CVEs), indicating significant historical security challenges. These vulnerabilities predominantly involve remote code execution, cross-site scripting, and privilege escalation flaws, often stemming from insufficient input validation and improper access controls within its web-based interface components. Notably, several incidents have allowed attackers to execute arbitrary commands or access sensitive user data without authentication, undermining the platform’s privacy-centric value proposition. The high volume of CVEs suggests persistent issues in the codebase’s security hygiene, requiring rigorous patching and secure coding practices to mitigate risks associated with its network-exposed features and plugin architecture.

Found 58 results / 58Clear Filters
Top products by siyuan-note: siyuan
CVE IDTitleCVSSSeverityPublished
CVE-2026-44670 SiYuan: Stored XSS via Attribute View name to Electron renderer RCE in SiYuan — siyuanCWE-79--2026-05-14
CVE-2026-44588 SiYuan: URL-encoded title bypasses `escapeAriaLabel`, decoded by `decodeURIComponent` into a tooltip-XSS — siyuanCWE-79--2026-05-14
CVE-2026-45147 SiYuan: Broken access control in SiYuan `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk — siyuanCWE-285 4.3 Medium2026-05-14
CVE-2026-45148 SiYuan: Broken access control in SiYuan publish-mode Readers can enumerate metadata — siyuanCWE-863 4.3 Medium2026-05-14
CVE-2026-45371 SiYuan: SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs — siyuanCWE-285--2026-05-14
CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution — siyuanCWE-79 9.0 Critical2026-05-14
CVE-2026-44586 SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution — siyuanCWE-79 8.3 High2026-05-14
CVE-2026-41894 SiYuan: Incomplete Fix Bypass for CVE-2026-30869: Path Traversal via Double URL Encoding in `/export/` Endpoint — siyuanCWE-22 6.5AIMediumAI2026-04-24
CVE-2026-41421 SiYuan Desktop Notification XSS Leads to Electron RCE — siyuanCWE-78 8.8 High2026-04-24
CVE-2026-40922 SiYuan: Incomplete sanitization of bazaar README allows stored XSS via iframe srcdoc (incomplete fix for CVE-2026-33066) — siyuanCWE-79 5.4AIMediumAI2026-04-16
CVE-2026-40322 SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE — siyuanCWE-79 9.1 Critical2026-04-16
CVE-2026-40318 SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView` — siyuanCWE-24 8.5 High2026-04-16
CVE-2026-40259 SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via removeUnusedAttributeView API — siyuanCWE-285 8.1 High2026-04-16
CVE-2026-40107 SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering — siyuanCWE-918 6.1AIMediumAI2026-04-09
CVE-2026-39846 SiYuan affected by Remote Code Execution in the Electron desktop client via stored XSS in synced table captions — siyuanCWE-79 9.1 Critical2026-04-07
CVE-2026-34605 SiYuan: Reflected XSS via SVG namespace prefix bypass in SanitizeSVG ( getDynamicIcon, unauthenticated ) — siyuanCWE-79 6.1 -2026-03-31
CVE-2026-34585 SiYuan: Stored XSS in imported .sy.zip content leads to arbitrary command execution — siyuanCWE-79 8.6 High2026-03-31
CVE-2026-34449 SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection — siyuanCWE-942 9.7 Critical2026-03-31
CVE-2026-34448 SiYuan: Stored XSS in Attribute View gallery/kanban cover rendering allows arbitrary command execution in the desktop client — siyuanCWE-79 9.1 Critical2026-03-31
CVE-2026-34453 SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content — siyuanCWE-863 7.5 High2026-03-31
CVE-2026-33670 SiYuan has directory traversal within its publishing service — siyuanCWE-22 9.8 Critical2026-03-26
CVE-2026-33669 SiYuan has Arbitrary Document Reading within the Publishing Service — siyuanCWE-125 9.8 Critical2026-03-26
CVE-2026-33476 SiYuan has an Unauthenticated Arbitrary File Read via Path Traversal — siyuanCWE-22 7.5 High2026-03-20
CVE-2026-33203 SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass — siyuanCWE-248 7.5 High2026-03-20
CVE-2026-33194 SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home — siyuanCWE-22 6.8 Medium2026-03-20
CVE-2026-33067 SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata — siyuanCWE-79 7.6 -2026-03-20
CVE-2026-33066 SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering — siyuanCWE-79 5.4 -2026-03-20
CVE-2026-32940 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183) — siyuanCWE-79 9.3 Critical2026-03-20
CVE-2026-32938 SiYuan has an Arbitrary File Read in its Desktop Publish Service — siyuanCWE-22 9.9 Critical2026-03-20
CVE-2026-32767 SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API — siyuanCWE-89 9.8 Critical2026-03-20

This page lists every published CVE security advisory associated with siyuan-note. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.