📦 Siyuan

This vulnerability allows authenticated users of SiYuan personal knowledge management system to write files to arbitrary locations on the filesystem due to improper validation of the dest parameter in...

SiYuan personal knowledge management systems before version 3.5.4 have a stored XSS vulnerability in the dynamic icon feature. Attackers can inject malicious HTML attributes via the /api/attr/setBlock...

SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability in the POST /api/history/getDocHistoryContent endpoint. Attackers can craft payloads to delete arbitrary files on the server, po...

This CVE describes a Server-Side Template Injection (SSTI) vulnerability in SiYuan's Sprig template engine that allows attackers to access environment variables. Attackers can exploit the /api/templat...

A SQL injection vulnerability in Siyuan 3.1.11 allows attackers to execute arbitrary SQL commands via the notebook parameter in the /searchHistory endpoint. This affects all users running vulnerable v...

A SQL injection vulnerability in Siyuan 3.1.11 allows attackers to execute arbitrary SQL commands via the ids array parameter in the /batchGetBlockAttrs endpoint. This affects all users running vulner...

CVE-2024-2692 is a Server-Side Cross-Site Scripting (XSS) vulnerability in SiYuan note-taking software version 3.0.3 that allows attackers to execute arbitrary commands on the server. This occurs beca...

SiYuan personal knowledge management system versions before 3.5.4 contain a path traversal vulnerability in the markdown feature's HTML rendering. This allows attackers to read arbitrary files on the ...

This vulnerability allows attackers to decrypt session cookies and steal authentication credentials in SiYuan Note software. Attackers who intercept session cookies can extract the AccessAuthCode and ...

This ZipSlip vulnerability in SiYuan personal knowledge management software allows authenticated users to overwrite arbitrary files on the system through the import functionality. Attackers can achiev...

CVE-2024-55657 is an arbitrary file read vulnerability in SiYuan personal knowledge management systems. Attackers can exploit the unvalidated path parameter in the /api/template/render endpoint to rea...

CVE-2026-25647 is a stored cross-site scripting (XSS) vulnerability in Lute's Markdown rendering engine that allows attackers to inject malicious JavaScript into Markdown content. When other users vie...

SiYuan personal knowledge management systems before version 3.5.4 are vulnerable to reflected cross-site scripting (XSS) via the /api/icon/getDynamicIcon endpoint. Attackers can inject malicious SVG c...

This CVE describes a path traversal vulnerability in SiYuan's file copy endpoint that allows authenticated users to copy arbitrary files from the server's filesystem into the application workspace. Th...

This vulnerability in SiYuan personal knowledge management systems allows attackers to write arbitrary files to the host server and execute stored cross-site scripting attacks through the file upload ...