Vulnerabilidades em siyuan-note
58 resultadosCVE-2026-25992HIGHSiYuan has a File Read Interface Case Bypass VulnerabilityEPSS 0.5%CVE-2026-31809MEDIUMSiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSSEPSS 0.5%CVE-2026-34449CRITICALSiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet InjectionEPSS 0.5%CVE-2026-33203HIGHSiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive BypassEPSS 0.5%CVE-2026-34448CRITICALSiYuan: Stored XSS in Attribute View gallery/kanban cover rendering allows arbitrary command execution in the desktop clientEPSS 0.5%CVE-2026-33194MEDIUMSiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /homeEPSS 0.5%CVE-2026-34605HIGHSiYuan: Reflected XSS via SVG namespace prefix bypass in SanitizeSVG ( getDynamicIcon, unauthenticated )EPSS 0.5%CVE-2026-31807MEDIUMSiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSSEPSS 0.4%CVE-2026-23851HIGHSiYuan Vulnerable to Arbitrary File Read via File Copy FunctionalityEPSS 0.4%CVE-2026-32749HIGHSiYuan importSY/importZipMd: Path Traversal via multipart filename enables arbitrary file writeEPSS 0.4%CVE-2026-32750MEDIUMSiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notesEPSS 0.4%CVE-2026-32938CRITICALSiYuan has an Arbitrary File Read in its Desktop Publish ServiceEPSS 0.4%CVE-2026-32747MEDIUMSiYuan: Incomplete sensitive path blocklist in globalCopyFiles allows reading /proc and Docker secretsEPSS 0.4%CVE-2026-40259HIGHSiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via removeUnusedAttributeView APIEPSS 0.4%CVE-2025-67488HIGHSiYuan: ZipSlip -> Arbitrary File Overwrite -> RCEEPSS 0.4%CVE-2024-55659HIGHSiYuan has an arbitrary file write in the host via /api/asset/uploadEPSS 0.4%CVE-2026-32815MEDIUMSiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information DisclosureEPSS 0.4%CVE-2026-45375CRITICALSiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code executionEPSS 0.4%CVE-2026-34585HIGHSiYuan: Stored XSS in imported .sy.zip content leads to arbitrary command executionEPSS 0.3%CVE-2026-29073MEDIUMSiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database accessEPSS 0.3%