CVE-2026-54069

CVE-2026-54069 is a critical-severity vulnerability with a CVSS 4.0 base score of 9.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-346.

Key facts

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.

Frequently asked questions

What is CVE-2026-54069?
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.
How severe is CVE-2026-54069?
CVE-2026-54069 has a CVSS 4.0 base score of 9.2, rated critical severity.
Is CVE-2026-54069 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (45th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-54069?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
Does CVE-2026-54069 have an EU (EUVD) identifier?
Yes. CVE-2026-54069 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-39125.
When was CVE-2026-54069 published?
CVE-2026-54069 was published on 2026-06-24 and last updated on 2026-06-25.

References

Other CWE-346 vulnerabilities

Browse all CWE-346 vulnerabilities →