Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

siyuan-note — Vulnerabilities & Security Advisories 51

Browse all 51 CVE security advisories affecting siyuan-note. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Siyuan-note is a local-first, privacy-focused knowledge management application designed for note-taking and information organization. Despite its emphasis on data sovereignty, the software has accumulated 51 recorded Common Vulnerabilities and Exposures (CVEs), indicating significant historical security challenges. These vulnerabilities predominantly involve remote code execution, cross-site scripting, and privilege escalation flaws, often stemming from insufficient input validation and improper access controls within its web-based interface components. Notably, several incidents have allowed attackers to execute arbitrary commands or access sensitive user data without authentication, undermining the platform’s privacy-centric value proposition. The high volume of CVEs suggests persistent issues in the codebase’s security hygiene, requiring rigorous patching and secure coding practices to mitigate risks associated with its network-exposed features and plugin architecture.

Top products by siyuan-note: siyuan
CVE IDTitleCVSSSeverityPublished
CVE-2026-31809 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS — siyuanCWE-79 5.4AIMediumAI2026-03-10
CVE-2026-31807 SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS — siyuanCWE-79 6.1AIMediumAI2026-03-10
CVE-2026-30869 SiYuan has a Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage — siyuanCWE-22 9.3 Critical2026-03-09
CVE-2026-30926 SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content — siyuanCWE-284 7.1 High2026-03-09
CVE-2026-29183 SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution — siyuanCWE-79 9.3 Critical2026-03-06
CVE-2026-29073 SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access — siyuanCWE-862 8.8 -2026-03-06
CVE-2026-25992 SiYuan has a File Read Interface Case Bypass Vulnerability — siyuanCWE-22 7.5 High2026-02-10
CVE-2026-25647 Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink — siyuanCWE-79 4.6 Medium2026-02-06
CVE-2026-25539 SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE — siyuanCWE-22 9.1 Critical2026-02-04
CVE-2026-23852 SiYuan vulnerable to Stored XSS / RCE via `setBlockAttrs` icon attribute — siyuanCWE-94 8.2AIHighAI2026-01-19
CVE-2026-23851 SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality — siyuanCWE-22 8.1AIHighAI2026-01-19
CVE-2026-23850 SiYuan vulnerable to arbitrary file read — siyuanCWE-22 6.5AIMediumAI2026-01-19
CVE-2026-23847 SiYuan Vulnerable to Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon — siyuanCWE-79 6.1AIMediumAI2026-01-19
CVE-2026-23645 SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload — siyuanCWE-79 5.4 -2026-01-16
CVE-2025-68948 SiYuan: Information Disclosure and Authentication Bypass via Hardcoded Session Secret — siyuanCWE-321 8.4 -2025-12-27
CVE-2025-67488 SiYuan: ZipSlip -> Arbitrary File Overwrite -> RCE — siyuanCWE-22 7.8 High2025-12-09
CVE-2025-21609 SiYuan has an arbitrary file deletion vulnerability — siyuanCWE-459 8.1 -2025-01-03
CVE-2024-55660 SiYuan has an SSTI via /api/template/renderSprig — siyuanCWE-1336 6.5 -2024-12-11
CVE-2024-55659 SiYuan has an arbitrary file write in the host via /api/asset/upload — siyuanCWE-22 5.4 -2024-12-11
CVE-2024-55658 SiYuan has an arbitrary file read and path traversal via /api/export/exportResources — siyuanCWE-22 6.5 -2024-12-11
CVE-2024-55657 SiYuan has an arbitrary file read via /api/template/render — siyuanCWE-22 6.5 -2024-12-11

This page lists every published CVE security advisory associated with siyuan-note. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.