Siyuan
This hub aggregates every CVE we track for Siyuan, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
61
CVEs tracked
26
Critical
18
High
0
In CISA KEV
Severity distribution
CRITICAL26HIGH18MEDIUM16LOW1
Monthly trend
1
0
0
0
4
4
1
0
0
0
0
0
0
0
0
0
0
2
5
3
27
7
4
2
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Siyuan.
- CVE-2026-56397SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README9.6
- CVE-2026-56395SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README9.6
- CVE-2026-45147SiYuan: Broken access control in SiYuan `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk4.3
- CVE-2026-45148SiYuan: Broken access control in SiYuan publish-mode Readers can enumerate metadata4.3
- CVE-2026-45375SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution9.0
- CVE-2026-44586SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution8.3
- CVE-2026-41421SiYuan Desktop Notification XSS Leads to Electron RCE8.8
- CVE-2026-40922SiYuan: Incomplete sanitization of bazaar README allows stored XSS via iframe srcdoc (incomplete fix for CVE-2026-33066)5.4
- CVE-2026-40322SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE9.0
- CVE-2026-40318SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`8.5
- CVE-2026-40259SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via removeUnusedAttributeView API8.1
- CVE-2026-40107SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering6.5
- CVE-2026-39846SiYuan affected by Remote Code Execution in the Electron desktop client via stored XSS in synced table captions9.0
- CVE-2026-34605SiYuan: Reflected XSS via SVG namespace prefix bypass in SanitizeSVG ( getDynamicIcon, unauthenticated )6.1
- CVE-2026-34585SiYuan: Stored XSS in imported .sy.zip content leads to arbitrary command execution8.6
Product normalization is registry-driven with AI assist and human review. How it works