siyuan-note
Unclassifiedunknown
Top products
Latest CVEs
The 15 most recently published vulnerabilities affecting siyuan-note.
- CVE-2026-45147SiYuan: Broken access control in SiYuan `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk4.3
- CVE-2026-45148SiYuan: Broken access control in SiYuan publish-mode Readers can enumerate metadata4.3
- CVE-2026-45375SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution9.0
- CVE-2026-44586SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution8.3
- CVE-2026-41421SiYuan Desktop Notification XSS Leads to Electron RCE8.8
- CVE-2026-40922SiYuan: Incomplete sanitization of bazaar README allows stored XSS via iframe srcdoc (incomplete fix for CVE-2026-33066)5.4
- CVE-2026-40322SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE9.0
- CVE-2026-40318SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`8.5
- CVE-2026-40259SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via removeUnusedAttributeView API8.1
- CVE-2026-40107SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering6.5
- CVE-2026-39846SiYuan affected by Remote Code Execution in the Electron desktop client via stored XSS in synced table captions9.0
- CVE-2026-34605SiYuan: Reflected XSS via SVG namespace prefix bypass in SanitizeSVG ( getDynamicIcon, unauthenticated )6.1
- CVE-2026-34585SiYuan: Stored XSS in imported .sy.zip content leads to arbitrary command execution8.6
- CVE-2026-34449SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection9.6
- CVE-2026-34448SiYuan: Stored XSS in Attribute View gallery/kanban cover rendering allows arbitrary command execution in the desktop client9.0