Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

siyuan-note — Vulnerabilities & Security Advisories 51

Browse all 51 CVE security advisories affecting siyuan-note. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Siyuan-note is a local-first, privacy-focused knowledge management application designed for note-taking and information organization. Despite its emphasis on data sovereignty, the software has accumulated 51 recorded Common Vulnerabilities and Exposures (CVEs), indicating significant historical security challenges. These vulnerabilities predominantly involve remote code execution, cross-site scripting, and privilege escalation flaws, often stemming from insufficient input validation and improper access controls within its web-based interface components. Notably, several incidents have allowed attackers to execute arbitrary commands or access sensitive user data without authentication, undermining the platform’s privacy-centric value proposition. The high volume of CVEs suggests persistent issues in the codebase’s security hygiene, requiring rigorous patching and secure coding practices to mitigate risks associated with its network-exposed features and plugin architecture.

Top products by siyuan-note: siyuan
CVE IDTitleCVSSSeverityPublished
CVE-2026-41894 SiYuan: Incomplete Fix Bypass for CVE-2026-30869: Path Traversal via Double URL Encoding in `/export/` Endpoint — siyuanCWE-22 6.5AIMediumAI2026-04-24
CVE-2026-41421 SiYuan Desktop Notification XSS Leads to Electron RCE — siyuanCWE-78 8.8 High2026-04-24
CVE-2026-40922 SiYuan: Incomplete sanitization of bazaar README allows stored XSS via iframe srcdoc (incomplete fix for CVE-2026-33066) — siyuanCWE-79 5.4AIMediumAI2026-04-16
CVE-2026-40322 SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE — siyuanCWE-79 9.1 Critical2026-04-16
CVE-2026-40318 SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView` — siyuanCWE-24 8.5 High2026-04-16
CVE-2026-40259 SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via removeUnusedAttributeView API — siyuanCWE-285 8.1 High2026-04-16
CVE-2026-40107 SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering — siyuanCWE-918 6.1AIMediumAI2026-04-09
CVE-2026-39846 SiYuan affected by Remote Code Execution in the Electron desktop client via stored XSS in synced table captions — siyuanCWE-79 9.1 Critical2026-04-07
CVE-2026-34605 SiYuan: Reflected XSS via SVG namespace prefix bypass in SanitizeSVG ( getDynamicIcon, unauthenticated ) — siyuanCWE-79 6.1 -2026-03-31
CVE-2026-34585 SiYuan: Stored XSS in imported .sy.zip content leads to arbitrary command execution — siyuanCWE-79 8.6 High2026-03-31
CVE-2026-34449 SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection — siyuanCWE-942 9.7 Critical2026-03-31
CVE-2026-34448 SiYuan: Stored XSS in Attribute View gallery/kanban cover rendering allows arbitrary command execution in the desktop client — siyuanCWE-79 9.1 Critical2026-03-31
CVE-2026-34453 SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content — siyuanCWE-863 7.5 High2026-03-31
CVE-2026-33670 SiYuan has directory traversal within its publishing service — siyuanCWE-22 9.8 Critical2026-03-26
CVE-2026-33669 SiYuan has Arbitrary Document Reading within the Publishing Service — siyuanCWE-125 9.8 Critical2026-03-26
CVE-2026-33476 SiYuan has an Unauthenticated Arbitrary File Read via Path Traversal — siyuanCWE-22 7.5 High2026-03-20
CVE-2026-33203 SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass — siyuanCWE-248 7.5 High2026-03-20
CVE-2026-33194 SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home — siyuanCWE-22 6.8 Medium2026-03-20
CVE-2026-33067 SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata — siyuanCWE-79 7.6 -2026-03-20
CVE-2026-33066 SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering — siyuanCWE-79 5.4 -2026-03-20
CVE-2026-32940 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183) — siyuanCWE-79 9.3 Critical2026-03-20
CVE-2026-32938 SiYuan has an Arbitrary File Read in its Desktop Publish Service — siyuanCWE-22 9.9 Critical2026-03-20
CVE-2026-32767 SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API — siyuanCWE-89 9.8 Critical2026-03-20
CVE-2026-32815 SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure — siyuanCWE-287 9.1 -2026-03-19
CVE-2026-32750 SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes — siyuanCWE-22 6.8 Medium2026-03-19
CVE-2026-32751 SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface — siyuanCWE-79 5.4 -2026-03-19
CVE-2026-32749 SiYuan importSY/importZipMd: Path Traversal via multipart filename enables arbitrary file write — siyuanCWE-73 7.6 High2026-03-19
CVE-2026-32747 SiYuan: Incomplete sensitive path blocklist in globalCopyFiles allows reading /proc and Docker secrets — siyuanCWE-22 6.8 Medium2026-03-19
CVE-2026-32704 SiYuan renderSprig: missing admin check allows any user to read full workspace DB — siyuanCWE-285 6.5 Medium2026-03-13
CVE-2026-32110 SiYuan has a Full-Read SSRF via /api/network/forwardProxy — siyuanCWE-918 8.3 High2026-03-11

This page lists every published CVE security advisory associated with siyuan-note. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.