B3log

Siyuan

55 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2026-23847

Exploit
  • EPSS 0.26%
  • Veröffentlicht 19.01.2026 19:46:08
  • Zuletzt bearbeitet 30.01.2026 15:36:42

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The conten...

6.1

CVE-2026-23645

Exploit
  • EPSS 0.25%
  • Veröffentlicht 16.01.2026 19:20:06
  • Zuletzt bearbeitet 30.01.2026 19:32:11

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views...

8.1

CVE-2025-68948

Exploit
  • EPSS 0.2%
  • Veröffentlicht 27.12.2025 00:21:31
  • Zuletzt bearbeitet 02.01.2026 19:30:38

SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption i...

8.8

CVE-2025-67488

Exploit
  • EPSS 0.37%
  • Veröffentlicht 09.12.2025 20:32:37
  • Zuletzt bearbeitet 30.01.2026 19:30:11

SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain function importZipMd which is vulnerable to ZipSlips, allowing an authenticated user to overwrite files on the sys...

9.1

CVE-2025-21609

Exploit
  • EPSS 0.58%
  • Veröffentlicht 03.01.2025 17:15:09
  • Zuletzt bearbeitet 14.05.2025 14:39:30

SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can cra...

9.8

CVE-2024-55660

  • EPSS 0.59%
  • Veröffentlicht 12.12.2024 02:15:32
  • Zuletzt bearbeitet 05.06.2025 20:42:58

SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it...

5.4

CVE-2024-55659

  • EPSS 0.36%
  • Veröffentlicht 12.12.2024 02:15:32
  • Zuletzt bearbeitet 05.06.2025 20:41:57

SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains...

7.5

CVE-2024-55658

  • EPSS 0.59%
  • Veröffentlicht 12.12.2024 02:15:32
  • Zuletzt bearbeitet 05.06.2025 20:41:46

SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download a...

7.5

CVE-2024-55657

  • EPSS 0.72%
  • Veröffentlicht 12.12.2024 02:15:32
  • Zuletzt bearbeitet 05.06.2025 20:41:33

SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's `/api/template/render` endpoint. The absence of proper validation on the path parameter allows attackers to access sens...

9.8

CVE-2024-53507

Exploit
  • EPSS 0.55%
  • Veröffentlicht 29.11.2024 20:15:21
  • Zuletzt bearbeitet 14.04.2025 14:57:23

A SQL injection vulnerability was discovered in Siyuan 3.1.11 in /getHistoryItems.