Vulnerabilities in siyuan-note
58 resultsCVE-2026-33476HIGHSiYuan has an Unauthenticated Arbitrary File Read via Path TraversalEPSS 3.3%CVE-2026-34453HIGHSiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked contentEPSS 1.2%CVE-2026-30869CRITICALSiYuan has a Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret LeakageEPSS 1.0%CVE-2026-25539CRITICALSiYuan has Arbitrary File Write via /api/file/copyFile leading to RCEEPSS 1.0%CVE-2026-32751MEDIUMSiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile InterfaceEPSS 0.8%CVE-2024-55657HIGHSiYuan has an arbitrary file read via /api/template/renderEPSS 0.7%CVE-2026-23852MEDIUMSiYuan vulnerable to Stored XSS / RCE via `setBlockAttrs` icon attributeEPSS 0.7%CVE-2026-33670CRITICALSiYuan has directory traversal within its publishing serviceEPSS 0.7%CVE-2026-29183CRITICALSiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript executionEPSS 0.6%CVE-2024-55660MEDIUMSiYuan has an SSTI via /api/template/renderSprigEPSS 0.6%CVE-2024-55658HIGHSiYuan has an arbitrary file read and path traversal via /api/export/exportResourcesEPSS 0.6%CVE-2026-33066MEDIUMSiYuan has Stored XSS to RCE via Unsanitized Bazaar README RenderingEPSS 0.6%CVE-2025-21609HIGHSiYuan has an arbitrary file deletion vulnerabilityEPSS 0.6%CVE-2026-33067MEDIUMSiYuan has Stored XSS to RCE via Unsanitized Bazaar Package MetadataEPSS 0.5%CVE-2026-32767CRITICALSiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search APIEPSS 0.5%CVE-2026-39846CRITICALSiYuan affected by Remote Code Execution in the Electron desktop client via stored XSS in synced table captionsEPSS 0.5%CVE-2026-33669CRITICALSiYuan has Arbitrary Document Reading within the Publishing ServiceEPSS 0.5%CVE-2026-23850HIGHSiYuan vulnerable to arbitrary file readEPSS 0.5%CVE-2026-44588CRITICALSiYuan: URL-encoded title bypasses `escapeAriaLabel`, decoded by `decodeURIComponent` into a tooltip-XSSEPSS 0.5%CVE-2026-44670CRITICALSiYuan: Stored XSS via Attribute View name to Electron renderer RCE in SiYuanEPSS 0.5%